EC-Council Certified Security Analyst Methodology: Wireless Network Penetration Testing Penetration Tester: Organization: Date: Confidential Location: 1 Template WNPT/13 EC-Council EC-Council Certified Security Analyst WLAN Penetration Testing Test 1: Discover the wireless networks Target Organization URL Technique Used Access Points Discovered Data of Discovered Access Points SSID BSSIDs Encryption Technique Beacon Strength 1. 2. 3. 4. 5. 6. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 2 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 2: Detect hidden SSIDs Target Organization URL SSIDs Discovered on Interface 1. 2. 3. 4. 5. Hidden SSIDs 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 3 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 3: Check physical security of the AP Target Organization URL Physical Location of Authorized APs Physical Access to APs Is Controlled Tools/Services Used YES NO 1. 2. 3. 4. 5. Results Analysis: Confidential 4 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 4: Detect wireless connections Target Organization URL Scanning Methodologies Wireless Connections Detected using Active Scanning Wireless Connections Detected using Passive Scanning 1. 1. 2. 2. 3. 3. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 5 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 5: Sniff the traffic between the AP and linked devices Target Organization URL Information gathered from Sniffed Traffic BSSID STATION PWR PWR Beacons Packets #Data Probes CH Others: HB ENC ESSID BSSID Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 6 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 6: Create ad hoc associations with the unsecured AP Target Organization URL Ad Hoc Mode used YES NO Ad Hoc Association to Unsecured AP YES NO Enterprise Client Operating in Ad Hoc Mode Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 7 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 7: Create a rogue access point, and try to create a promiscuous client Target Organization URL Location of Rogue Access Point SSID Broadcast Disabled YES NO AP behind Firewall YES NO Promiscuous Client Creation Successful YES NO Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 8 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 8: Use a wireless honeypot to discover vulnerable wireless clients Target Organization URL Discovered Vulnerable Wireless Clients YES NO 1. Captured any email or FTP connections YES NO YES NO YES NO 2. Able to Access the User’s File Shares 3. Captured login credentials via captive portal or spoofed DNS caching Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 9 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 9: Perform a Denial-of-Service Attack (De-authentication Attack) Target Organization URL “de-authenticate” command syntax used Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 10 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 10: Attempt rapid traffic generation Target Organization URL Source MAC Destination MAC BSSID Hosts on a bridged LAN Hosts on a wired LAN Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 11 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 11: Jam the signal Target Organization URL Device used to jam the signal Frequency used to jam the signal List of access points discovered 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 12 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 12: Attempt single-packet decryption Target Organization URL Source MAC address Destination MAC address Command syntax used First Pass Second Pass Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 13 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 13: Perform a fragmentation attack Target Organization URL Packets received from AP YES NO Obtained 1500 bytes of PRGA YES NO Injection Attacks Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 14 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 14: Perform an ARP poisoning attack Target Organization URL IP Address of ARP MAC Address of ARP ARP Poisoning Attack Successful Tools/Services Used YES NO 1. 2. 3. 4. 5. Results Analysis: Confidential 15 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 15: Try to inject the encrypted packet Target Organization URL Auth Frame Auth Type Share Key BSSID Source MAC Command syntax used Data read from prgafile.dat 1. BSSID: 2. Source MAC: 3. IV: Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 16 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 16: Crack static WEP keys Target Organization URL Information gathered by Cracking Static WEP Keys BSSID: CIPHER: PWR: AUTH: RXQ: ESSID: Beacons: Others: #Data: CH: MB: ENC: Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 17 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 17: Crack WPA-PSK keys Target Organization URL Command used to Monitor Traffic Command used to Collect Traffic Data Information gathered by Cracking WPA-PSK Keys BSSID: CIPHER: PWR: AUTH: RXQ: ESSID: Beacons: Others: #Data: CH: MB: ENC: Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 18 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 18: Crack WPA/WPA2 Enterprise Mode Target Organization URL Man-in-the-Middle (MITM) Attack Successful YES NO Captured and Recovered Login Credentials YES NO Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 19 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 19: Crack WPS PIN Target Organization URL Wireless Router Susceptible to WPS PIN Cracked WPS PIN YES NO 1. 2. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 20 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 20: Check for MAC filtering Target Organization URL Target Access Point used MAC Filtering YES NO Fake Auth Commands Authentication Successful YES NO Association Successful YES NO Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 21 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 21: Spoof the MAC address Target Organization URL Name of the SSID tested Spoofed MAC Address 1. 2. 3. 4. 5. New MAC Address and Vendor Settings MAC Filtering Active Tools/Services Used YES NO 1. 2. 3. 4. 5. Results Analysis: Confidential 22 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 22: Create a direct connection to the wireless access point Target Organization URL DHCP Enabled Wireless AP YES NO Laptop YES NO IP Address of Wireless AP Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 23 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 23: Attempt an MITM attack Target Organization URL Victim IP Address Victim MAC Address MITM IP Address MITM MAC Address Interesting Packets Captured 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 24 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 24: Test for wireless driver vulnerabilities Target Organization URL Wireless Adapter Device Drivers Associated Vulnerabilities 1. 1. 1. 2. 2. 2. 3. 3. 3. 4. 4. 4. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 25 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst RFID Penetration Testing Test 1: Perform Reverse Engineering Target Organization URL RFID Reverse Engineering Successful Information Collected YES NO 1. 2. 3. 4. Methods/Techniques Used 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 26 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 2: Perform Power Analysis Attack Target Organization URL Performed Power Analysis Attack Successfully YES NO YES NO YES NO RFID Card Receives: Correct Password Bits Incorrect Password Bits Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 27 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 3: Perform Eavesdropping Target Organization URL Eavesdropping the Legitimate Transmission between the RFID Tag and the Reader Successful Information Obtained YES NO 1. 2. 3. Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 28 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 4: Perform an MITM Attack Target Organization URL Interception of the Communication between the RFID Tag and the Reader Successful YES NO Data Transmitted in Clear Text YES NO Information Recovered 1. 2. 3. Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 29 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 5: Perform a DoS Attack Target Organization URL Performed DoS Attack Successfully against: 1. RFID Tag 2. RFID Reader 3. Backend Server YES YES YES NO NO NO YES YES NO NO Techniques Used: 1. Jamming 2. Interference Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 30 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 6: Perform RFID Cloning/Spoofing Target Organization URL Captured Data from the Legitimate RFID Tag and Created a Clone of it using a New Chip Successfully YES NO Overwritten Existing RFID Tag Data with the Spoofed Data (Obtained by Eavesdropping) Successfully YES NO Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 31 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 7: Perform an RFID Replay Attack Target Organization URL Intercepted Communication between the RFID Reader and Tag, and Captured a RFID Signal Successfully Devices/Tools Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 32 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 8: Perform a Virus Attack Target Organization URL Injected Infective Viruses to the Memory Space of RFID Tags Successfully YES NO Compromised Backend RFID Middleware Systems via an SQL Injection Attack YES NO Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 33 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst NFC Penetration Testing Test 1: Perform Eavesdropping Target Organization URL Eavesdropping the Communication between NFC Devices Successful Information Obtained YES NO 1. 2. 3. Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 34 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 2: Perform a Data Modification Attack Target Organization URL Interfered with the NFC Data Exchange Successfully Information Obtained YES NO 1. 2. 3. Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 35 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 3: Perform Data Corruption Attack Target Organization URL Performed Data Corruption Attack Successfully YES NO YES YES NO NO Techniques Used: 1. Jamming 2. Interference Devices/Tools Used 1. 2. 3. 4. Results Analysis: Confidential 36 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 4: Perform an MITM Attack Target Organization URL Eavesdropped, Manipulated, and Transmitted the Data to the NFC Reader Successfully Devices/Tools Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 37 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Mobile Penetration Testing Test 1: Rooting the Android Phones Target Organization URL Target Android Phone Android Phone rooted Successfully Tools Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 38 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 2: Jailbreaking iPhones Target Organization URL Target iPhone iPhone jailbreak Successfully Tools Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 39 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 3: Intercept HTTP Requests Sent from Phone Browser/Applications Target Organization URL Interception of HTTP Requests Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 40 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 4: Intercept HTTP Requests using Proxy when Using Android Emulator Target Organization URL Interception of HTTP Requests when using Android Emulator Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 41 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 5: Intercept HTTP Requests using Proxy on iPhone Target Organization URL Interception of HTTP Requests using Proxy on iPhone Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 42 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 6: Intercept HTTP Requests using Proxy on iOS Simulator Target Organization URL Interception of HTTP Requests using Proxy on iOS Simulator Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 43 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 7: Intercept iOS Traffic using Burp Suite Target Organization URL Interception of iOS traffic using Burp Suite Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 44 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 8: Sniff the Traffic using WireShark Target Organization URL Sniffing Traffic Using Wireshark Successful YES NO Authorization Tokens Sent in Clear Text YES NO Information Recovered 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 45 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 9: Sniff the Traffic Using FaceNiff Target Organization URL Sniffing and intercepting web session profiles over the Wi-Fi Using FaceNiff Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 46 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 10: Setting Up the Environment for Android Apps Penetration Testing Target Organization URL Is Android Apps Penetration Testing performed on the same mobile phone YES NO Is Android Apps Penetration Testing performed using Android Emulator YES NO Installed Android Studio YES NO Is Android Emulator configured and launched YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 47 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 11: Identify Whether Android is Rooted or Not Target Organization URL Commands Used to Identify Whether Android is Rooted or Not 1. 2. 3. 4. Android is Rooted Tools/Services Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 48 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 12: Test for Application Least Privilege Target Organization URL AndroidManifest.xml file of target application obeys Least Privilege Principle Tools/Services Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 49 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 13: Explore Installed Packages on Android Phone with Package Play Target Organization URL Exploring Installed Packages on Android Phone with Package Play Successful Installed Package Details Viewed YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 50 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 14: Perform Intent Sniffing Target Organization URL Sniffing Android App Intents Successful Information Recovered YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 51 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 15: Test Android App using Intent Fuzzer Target Organization URL Testing Android App Using Intent Fuzzer Successful YES NO Bugs Found Related Consequences 1. 1. 2. 2. 3. 3. 4. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 52 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 16: Test whether Application Stores Any Sensitive Information Target Organization URL Target Mobile Phone Is Application Insecurely Stored any Sensitive Information Tools/Services Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 53 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 17: Test whether Log of Application Reveals Any Sensitive Information Target Organization URL Target Mobile Phone Is Application revealed any Sensitive Information YES NO Command Used Command Syntax Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 54 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 18: Try to Reverse Engineer the Android Application Target Organization URL Reverse Engineering the Android App Successful Information Collected from the Source Code YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 55 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 19: Try to Discover the Processes Running on the Android Device Target Organization URL Commands Used 1. 2. 3. 4. 5. Processes Running on the Android Device 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 56 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 20: Try to Discover the System Calls Made by Processes Target Organization URL Commands Used 1. 2. 3. 4. 5. System Calls made by Processes 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 57 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 21: Check for Sensitive Data on SD card Target Organization URL Commands Used 1. 2. 3. 4. 5. Information Collected from SD Card 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 58 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 22: Test whether SQLite Database Reveals any Sensitive Data Target Organization URL Commands Used 1. 2. 3. 4. SQLite Database Reveals Sensitive Data on Android Information Collected from SQLite Database YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 59 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 23: Perform a DoS Attack on Android Phone Target Organization URL DoS Attack on Android Phone Successful Tools/Services Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 60 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 24: Find and Exploit Android app Vulnerabilities using Drozer Target Organization URL Exploiting Android App Vulnerabilities Using Drozer Successful Information Collected YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 61 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 25: Conduct Penetration Testing using Smartphone Pentest Framework Target Organization URL Android Device Security Assessment Using Smartphone Pentest Framework Successful Device is Susceptible to Attacks: YES NO 1. 2. 3. 4. Information Collected 1. 2. 3. 4. Results Analysis: Confidential 62 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 26: Conduct Vulnerability Scanning using zANTI Target Organization URL Scanning Android Device for Vulnerabilities using zANTI Successful Vulnerabilities Found YES NO Device is Susceptible to Attacks Information Exposed 1. 1. 1. 2. 2. 2. 3. 3. 3. 4. 4. 4. Results Analysis: Confidential 63 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 27: Perform Android Penetration Testing using dSploit Target Organization URL Android Device Penetration Testing Using dSploit Successful Techniques Used YES NO 1. 2. 3. 4. Information Collected 1. 2. 3. 4. Results Analysis: Confidential 64 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 28: Setting Up the Environment for iOS Apps Penetration Testing Target Organization URL Is iOS Apps Penetration Testing performed on the same mobile iphone YES NO Is Android Apps Penetration Testing performed using iOS Simulator YES NO Installed Xcode app development kit YES NO Is iOS Simulator configured and launched YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 65 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 29: Identify whether iPhone Is Jailbroken or not Target Organization URL iPhone is Jailbroken Evidence Found YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 66 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 30: Inspect the Plist for Sensitive Information Target Organization URL Commands Used 1. 2. 3. 4. Inspecting Plist File Successful Information Collected YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 67 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 31: Investigate the Keychain Data Storage Target Organization URL Contents of the iOS Keychain 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 68 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 32: Check the iPhone Logs for Leakage of Sensitive Information (Insecure Logging) Target Organization URL Sensitive Information Collected from iPhone Logs 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 69 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 33: Explore and Look for Sensitive Files in iOS File System Target Organization URL Sensitive Files found in iOS File System 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 70 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 34: Inspecting SQLite Databases Target Organization URL Commands Used 1. 2. 3. 4. SQLite Database Reveals Sensitive Data on iPhone Information Collected from SQLite Database YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 71 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 35: Inspect Error Application Logs Target Organization URL Sensitive Information Collected from Error Application Logs 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 72 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 36: Inspect Device Logs Target Organization URL Sensitive Information Collected from Device Logs 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 73 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 37: Look for Sensitive Data Cached in Snapshots Target Organization URL Sensitive Information Collected from Snapshot Folder 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 74 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 38: Inspect Keyboard Cache Target Organization URL Sensitive Information Collected from Keyboard Cache 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 75 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 39: Inspect cookies.binarycookies File for Leakage of Sensitive Information Target Organization URL Sensitive Information Collected from cookies.binarycookies file 1. 2. 3. 4. 5. Tools/Services Used 1. 2. 3. 4. 5. Results Analysis: Confidential 76 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 40: Check URL Schemes used by Applications Target Organization URL Applications URL Schemes Used Validated Properly 1. 1. YES NO 2. 2. YES NO 3. 3. YES NO 4. 4. YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 77 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 41: Check for Broken Cryptography Target Organization URL Broken Cryptography Vulnerability Exists Tools/Services Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 78 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 42: Try to Reverse Engineer the iOS application Target Organization URL Reverse Engineering the iOS App Successful Information Collected from the Source Code YES NO 1. 2. 3. 4. Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 79 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst IoT Penetration Testing Test 1: Test an IoT Device for Insecure Web Interface Target Organization URL Can Change the Default Login Credentials during Initial Product Setup YES NO User Account is Locked after a Predefined Number of Failed Login Attempts YES NO Found Valid Accounts using Password Recovery Mechanisms or New User Pages YES NO Web Interface is Susceptible to XSS, CSRF, SQLi, etc. YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 80 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 2: Test an IoT Device for Poor Authentication/Authorization Target Organization URL Test for Poor Authentication: Able to Login with Simple Passwords across all interfaces YES NO Network Traffic Transmits Credentials in Clear Text YES NO Re-authentication is Necessary for Sensitive Data YES NO Device Accepts Weak Passwords or No Password YES NO Interfaces allow Separation of Roles YES NO Able to Perform Privilege Escalation with the Current Access Controls YES NO Tools/Services Used 1. 2. 3. Test for Poor Authorization: Tools/Services Used 1. 2. 3. Results Analysis: Confidential 81 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 3: Test an IoT Device for Poor Insecure Network Services Target Organization URL Open Ports Identified Associated Vulnerabilities Possible Attacks 1. 1. 1. 2. 2. 2. 3. 3. 3. Open Ports if any exposed to the Internet via UPnP Tools/Services Used YES NO 1. 2. 3. 4. Results Analysis: Confidential 82 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 4: Test an IoT Device for Lack of Transport Encryption Target Organization URL Information Associated with Network Traffic of the Device, its Mobile Application and any Cloud Connections is sent in Clear Text YES NO SSL/TLS is Up-to-date and Properly Implemented YES NO Encryption Protocols in Use are Recommended and Accepted YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 83 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 5: Test an IoT Device for Privacy Concerns Target Organization URL Nature of data collected by the device, its mobile app and any cloud interfaces (only data required for the functionality should be collected). 1. Who has access to the personally identifiable information? 1. Tools/Services Used 1. 2. 3. 4. 2. 3. 2. 3. 4. Results Analysis: Confidential 84 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 6: Test an IoT Device for Insecure Cloud Interface Target Organization URL Can Change the Default Login Credentials during Initial Product Setup YES NO User Account is Locked after a Predefined Number of Failed Login Attempts YES NO Found Valid Accounts using Password Recovery Mechanisms or New User Pages YES NO Cloud Interface is Susceptible to XSS, CSRF, SQLi, etc. YES NO Cloud Interfaces Associated Vulnerabilities 1. 1. API Interfaces 2. 1. 2. Cloud-based Web Interfaces Tools/Services Used 2. 1. 2. 3. 4. Results Analysis: Confidential 85 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 7: Test an IoT Device for Insecure Mobile Interface Target Organization URL Can Change the Default Login Credentials during Initial Product Setup YES NO User Account is Locked after a Predefined Number of Failed Login Attempts YES NO Found Valid Accounts using Password Recovery Mechanisms or New User Pages YES NO Credentials are Exposed While Connected to Wireless Networks YES NO Options for Two-factor Authentication are Available YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 86 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 8: Test an IoT Device for Insufficient Security Configurability Target Organization URL Administrative Interface of the Device has: Options to strengthen security (e.g. creating strong passwords) YES NO Ability to separate admin users from normal users YES NO Options to encrypt data YES NO Options to enable secure logging of various security events YES NO Options to enable alerts and notifications to the end user for security events YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 87 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 9: Test an IoT Device for Insecure Software/Firmware Target Organization URL Update File Exposes Sensitive Data in Clear Text on using a Hex Edit tool YES NO Production File is Properly Encrypted using Renowned Algorithms and is Signed YES NO Cloud Update Server has Up-to-date and Properly Configured Transport Encryption Methods, and that the Server Itself is not at Risk YES NO Device ensures Proper Validation of Signed Update Files YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 88 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council EC-Council Certified Security Analyst Test 10: Test an IoT Device for Poor Physical Security Target Organization URL Can Disassemble the Device and Gain Access to the Data Storage Mediums or Remove Them YES NO Can Access the Data on Device via External Ports such as USB YES NO All the Available Physical External Ports are Required for Proper Device Function YES NO Can Deactivate External Ports from the Administrative Interface of the Device YES NO Can Limit Administrative Capabilities to Local Access only from the Administrative Interface of the Device YES NO Tools/Services Used 1. 2. 3. 4. Results Analysis: Confidential 89 Template WNPT/13 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.