Wireless Infrastructure Penetration Testing

Immunity SILICA

Product Overview

World leading commercial wireless security assessment tools (SAT) allowing penetration testing, hostile attack simulations target wireless infrastructure.


Wireless Penetration Testing Tool

Immunity SILICA is a wireless security vulnerability assessment and penetration tool, purpose built and let wireless penetration testers focus on wireless pen testing projects, from scanning wireless networks and WiFi-enabled devices, as well as integrating a large number of WiFi specific attacks with a user friendly graphical interface.

SILICA is developed and designed to determine the true risk of Wireless networks, from WiFi access point, attempting to leverage vulnerabilities and determining what accesses behind the vulnerable access point can be compromised.

Since it is purpose built for wireless pen testing, a highly automated one-button interface for many of the actions is implemented. Typical wireless pen testing include WEP/WPA Cracking attacks to Key Reinstallation Attack (KRACK) - a man-in-the-middle attack, setup evil twin fake access point and intercept all connected wireless client, Kr00k Attack to exploit common Broadcom chipsets vulnerability, EAP Relay attack, client-side injection attack, SSL Stripping and Spoofing attack, service impersonation attack, Karma attack, Fake captive portal attack, executable replacement attack, Apple EAP-success attack, malicious AP detection, is some of the common wireless pen testing tasks can easily accomplish with the product.


Modern wireless network challenges

Understanding the vulnerabilities of your WiFi network can be challenging as users can easily create networks on demand, bring your own device (BYOD) or even perhaps unintentionally, such as create mobile hotspot to let others share the corporate wireless network. But as recent events have demonstrated, scanning your WiFi network is an important part of understanding your security posture. Since the modern cybersecurity is expanded to cover modern assets include wireless, virtualization, IoT and cloud.

Most generic vulnerability assessment tools simply take their current network scanners and point them at the wireless infrastructure or not optimize to use for carry out wireless pentesting. This approach does not give you the information that is unique to wireless networks. Immunity has built the first automated, WiFi specific, vulnerability assessment and penetration tool - known as Immunity Silica in the market.

E-SPIN Wireless Network Security Assessment Services Overview

Uniquely developed and cater for wireless pentesting

Unlike traditional scanners that merely identify possible vulnerabilities, SILICA determines the true risk of a particular access point. SILICA does this by unintrusively leveraging vulnerabilities and determining what assets behind the vulnerable access point can be compromised.

Additionally while traditional scanners can enumerate the vulnerabilities of a particular target, they cannot evaluate whether a mitigating control is in place on the target or in the surrounding environment. With SILICA’s unique methodology it can report on whether a vulnerability can be successfully exploited.


Wireless centric all-in-one tool

SILICA is a self-contained solution that runs on a standard Intel based laptop. The SILICA software and base operating system (Ubuntu) is shipped on a bootable USB drive that enables you to run SILICA without any software modifications to your laptop. Included on the drive is partition containing a virtual machine with the same SILICA image giving you even greater flexibility and ease of use.

Highly automated, SILICA has a one-button interface for many of the actions that a security professional will want to take during an assessment, and help them save the time via one button click automation.

SILICA also implements threat detection modules that can passively scan for malicious attacks or unintentional vulnerabilities. This is particularly needed for those involved in cyber defence for the wireless landscape for the enterprise.

SILICA gathers and consolidates all information from its modules with a polished user interface designed to support a large amount of information without performance loss.


WEP/WPA Cracking Attacks

As long as SILICA is running, a background WPA handshake sniffer module will be storing the last captured WPA handshake for every AP to the file system in the /su/Reports/WPA_HANDSHAKES folder. These handshake files, stored in .pcap format, can be used by external tools for cracking, or can be used from the Key Recovery tab.

Active or passive key recovery attacks can be launched from the Discover Key submenu on the Network Listing tab. When this option is selected for a WEP WLAN, an active WEP key recovery attack using ARP injection is launched. When this option is selected for a WPA WLAN, if a handshake was not yet captured, an active deauth attack will be launched until a handshake is obtained. Once the handshake is captured, offline dictionary cracking is started to recover the key. SILICA includes a one million wordlist dictionary. SILICA also supports WPA/WPA2 brute-forcing using PMKID data. This allows SILICA to attack some access points even when no stations (clients) are present.


Key Reinstallation Attack (KRACK) 

KRACK is a man-in-the-middle attack between a target access point and the target devices that try to connect to the network. When a vulnerable device tries to connect, SILICA will intercept the packets and replay them in a way that will cause the device to install an zeroed-out encryption key. SILICA will then proceed with ssl-stripping and ssl-spoofing attacks against the target device. The module supported targets are wpa_supplicant 2.4 and 2.5, and was tested on a stock Ubuntu 16.04.1 target.

To make the KRACK attack work, SILICA requires two wireless cards, as the fake access point needs to be on a different channel than the real Access Point. If SILICA is not able to initialize the second interface when starting the KRACK attack, an error message (in red in the log window) is displayed and the module stops.

For the attack to be successful, these conditions should hold:

  • The target should be vulnerable to the zero-key attack (wpa_supplicant 2.4 and 2.5)
  • The signal from SILICA’s card should be stronger than the real AP from the target's point of view.
  • The target should try to reconnect to the network (SILICA will not try to force the target to reconnect).

The Kr00k Attack

The Kr00k Attack exploits a vulnerability in some very common Broadcom chipsets that cause a device to send zero-key encrypted data packets for a short period of time after a deauthentic ation packet is received. This module will send deauthentication packets to trigger the vulnerability, decrypt the packets, and display them on a wireshark window. The module supports attacking a single device, or all devices connected to an access point. The module uses an heuristic based on the timing and throughput of data packets from the target to be more effective. The heuristic parameters can be adjusted from the Preferences Panel.

Note: Some Broadcom chipsets support a non-standard modulation scheme that the SILICA card does not support. It is possible that this module does not work when the target is connected to an Access Point that has some Broadcom chipsets and they are using this modulation scheme. This module was tested on a Raspberry Pi 3 target.


EAP Relay Attack & Signal strength graphs

EAP Relay Attack

  • When trying to connect to a network using 802.1X authentication, SILICA will launch an MSCHAP Relay Attack if the credentials are unknown. This attack will allow SILICA to join the network after a man-in-the-middle attack on a legitimate client device trying to join the network. Only the PEAP with MSCHAPv2 authentication protocol is supported for this attack.

Signal strength graphs

  • Real time signal-to-noise ratio graphs are available for both access points and stations. These can be used to better position your wireless card, or to try and find the location of a wireless device (a directional antenna could be of help in that case).

Attack and Post Exploitation Modules

Attack Modules

  • A reduced version of the CANVAS network exploitation platform to probe and attack the target WLAN is included with SILICA. In addition to a number of remote code execution exploits, authentication bypass exploits that try to access the administrative interface of the target access points are included as well.

Post Exploitation Modules

  • After a remote code execution exploit is successful, post exploitation modules are run to gather information from the target: ● Screengrab: take a screenshot in the target host ● Get password hashes ● Get stored WiFi keys ● Get device information for Android devices ● Get system information

WPS Attacks

SILICA includes three WPS attack:

  • WPS brute-forcing
  • WPS default PINs by MAC address
  • Offline brute-forcing (also known as Pixie Dust)

WPS brute-forcing is selected from the WPS > Get WPS PIN (full bruteforce) submenu. It will iterate over up to 11000 PINs. When successful, the WPS PIN and WPA shared key for the target are obtained. SILICA supports resuming an interrupted bruteforce attack against a target. NOTE: Many access points do not handle large numbers of WPS authentication events well, either as a protection or as a result of bugs, so in those cases this attack will most likely fail.

WPS default PINs are tested by either WPS > Get WPS PIN (full bruteforce) or WPS > Get WPS PIN (try only default pins). Certains access points are known to have PINs that can be derived from their BSSID, and SILICA will try these first.

Offline WPS PIN brute-forcing, also known as the Pixie Dust attack, is also attempted with any WPS attack. If successful, this attack will be very quick (less than one minute) as it does not need to try multiple PINs against the access point.


Fake AP

While scanning, SILICA will sniff for probe requests to populate this table. Each row represents an SSID probed for by a wireless device. Custom SSIDs can also be manually added by filling the text box next to the “Become custom AP” button and clicking the button.

By right-clicking a row, a variety of Fake AP attack modules can be launched using the row’s ESSID and Channel as a parameter. When running a Fake AP module, SILICA will accept connections from wireless devices trying to connect to the spoofed SSID. Network traffic from the devices (stations) will be monitored for cookies and credentials, and these are stored in the Cookie Viewer, Attack Tree and Passwords tabs.

Menu action option: Edit encryption method and parameters of the Fake AP. Edit Channel to set channel of the Fake AP. Become this network with client-side injection (Client-side Injection Attack). Become this network with ssl-stripping and self-signed certificates (SSL Stripping and Spoofing attack). Become this network with service impersonation (Service Impersonation Attack).

Karma Attack. Instead of impersonating only one SSID, the FakeAP will respond to all probe requests , trying to get as many stations as possible to connect. This option is selected with the Karma Mode (reply to all probes) checkbox. This option is available for Fake AP with open or radius authentication.

Fake Captive Portal Attack. When this option is set, HTTP traffic from each station is redirected to a fake sign-in page until the user introduces any credentials. Captured credentials are added to the Passwords tab. This option is available for Fake APs using the service impersonation module.

Executable Replacement Attack. When the Fake AP is started with the Enable Transparent HTTP Proxy option set, requests from stations to files with an executable extension done over HTTP will be intercepted and the responses replaced with backdoors. This attack works for Windows, Linux and OSX targets.

Apple EAP-success attack (CVE-2019-6203). There is a vulnerability in same Apple devices that allows an attacker to create fake access points that successfully spoof real access points for those devices by sending EAP-success messages that the Apple devices accept even before validating credentials. SILICA will try to exploit the vulnerability when creating a FakeAP with 802.1X encryption.


Attack Tree & Printer Exploitation

The attack tree shows scan and attack results in a centralized manner, grouped by network, attack type, and target. Entries are shown in a tree format. The first level are the network entries, the second level the attack type, the third level the target devices, and individual results are stored in further levels in a hierarchical manner. Entries can be folded or expanded to collapse the tree visualization. Some entries allow for additional actions to be performed by right-clicking on them. This is signaled by an icon on the Actions column.

Printer exploitation

  • When SILICA finds a network printer, it will add the PJL file system to the Attack Tree. By expanding the PJL entries, you can explore directories, download files, and exploit path traversal vulnerabilities in the printer's file system. This is done on demand and in real time, so SILICA should be connected to the printer’s network for this feature to work.

Malicious AP Detection

SILICA analyzes captured beacons and probe responses looking for possible malicious access points. Any access point possibly spoofing a valid SSID will be added to this tab with the reason that the AP is suspicious. There is one entry for each unique BSSID/Channel pair.

The color code is yellow for suspicious but probably benign configuration changes. Red is for known malicious or highly unexpected conditions.


E-SPIN & Immunity SILICA

E-SPIN has been active in both vulnerability assessment and penetration testing (VAPT) supply for enterprise customers since 2005. Be it part of enterprise threat and vulnerability management use case, for supply world class commercial penetration testing suite of system to private zero-days vulnerability exploitation pack for ethical hacking, to assist government customers for the hassle and complex US export control and license application paperwork with relevant agencies until proper and legally to license various world class penetration testing suite, system and related exploitation for ethical hackers among corporate internal penetration tester, red team operation, to external security consultant and licensed penetration tester.

Feel free to contact E-SPIN for the hassle free, project turnkey supply with value added services (VAS), from consulting, project management, training and maintenance. Be it for national government authority, pentesting services firm to listed corporations who need to access it for carry out project and operation requirements.

Use Cases

*Improved security posture, Simplified trouble shooting, Network mapping.
*Create real threat profiles and vulnerability assessments
*Build WiFi risk and vulnerability analysis for PCI, SOX
*Rogue access point detection
*Auditing wireless client security

Complete Wireless Pentesting Solution

SILICA runs inside a virtual machine. Each SILICA user will receive an email with their credentials and instructions on how to activate SILICA.
SILICA comes with two wireless cards, however only one is required for regular SILICA use and activation. The additional wireless card is only required to perform the KRACK attack.
Unless explicitly stated in the release notes, the virtual machine does not change for each SILICA release, so it is not necessary to download the virtual machine again to obtain the last version. Updates can be deployed by clicking the UPDATE button on the SILICA interface.

Typical Users

*Forensics teams working to re-create an incident.
*Security Management teams that want a purpose-build vulnerability scanning and exploitation tool for their WiFi network, including remote identification of systems and mobile devices even when running personal firewalls.
*Network administrators who want to discover ad-hoc, unauthorized clients, or weakly authenticated WiFi access points, and to test/recover WEP, LEAP and WPA 1,2 keys. *Compliance officers looking for real risk management profiles.
*Security Assessment teams that are tired of the false positives from traditional scanners use SILICA's man-in-the-middle and aggressive remote exploitation capability.

Immunity SILICA is a wireless security vulnerability assessment and penetration tool. It very clarify of scanning the wireless networks and WiFi-enabled devices as it integrates a large number of WiFi definite intervention with a user affable graphical interface. SILICA determines the true risk of a particular access point. The devices does this by unobtrusively leveraging
Immunity CANVAS or simply just CANVAS, is one of the top and leading commercial security assessment tools (SAT) allowing penetration testing, hostile attack simulations and exploit research and development. CANVAS is a suite of pentesting including reliable development and testing framework, comes with hundreds of exploits ready to be used sort by different use case category,
In conjunction with the E-SPIN 16th anniversary celebration, E-SPIN pleased to organize a on demand CANVAS for penetration testing and hostile attack simulations Seminar Event to be held in the coming Oct-12-2021 3 to 4pm (GMT+8) time for those who are interested to gain the first hand seminar experience and participate in the luck draw. A
Exploitation frameworks traditionally focus on network penetration testing, D2 Elliot Web Exploitation Framework for web application pentesting is focused on closing the gap. Traditional network based exploitation frameworks lack the robust functionality of web based exploitation like manual web application security testing tools. D2 Elliot Web Exploitation Framework for web application pentesting helps enterprises to
VulnDisco Step Ahead Exploitation Pack for CANVAS or typically refer as VulnDisco SA Pack, is the Immunity CANVAS add-on, it is Canvas Exploitation Pack (CEP)  which come with following subscription entitlement: Features: 1 year of updates and support Up-to-the-minute information: You will receive all the information being developed for VulnDisco Pack Professional on the earliest
VulnDisco Pack Professional is the Immunity CANVAS add-on, it is Canvas Exploitation Pack (CEP)  which consists of more than 300 modules targeting unpatched vulnerabilities. The richest set of exploits for unpatched vulnerabilities available on the market. Targeted on well known software products. Client side and server side vulnerabilities. Updated once a month. If within the

MedPack Exploitation Pack for CANVAS

MedPack Exploitation Pack for CANVAS. Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow

DefPack Exploitation Pack for CANVAS

DefPack Exploitation Pack for CANVAS, is commercial CANVAS Exploitation Pack (CEP). Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update

Agora Exploitation Pack for CANVAS

Agora Exploitation Pack for CANVAS. Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow
E-SPIN McAfee Application Data Monitor Product Overview

SCADA+ Exploitation Pack for CANVAS

Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow the latest date, so it

D2 Exploitation Pack for CANVAS

D2 Exploitation Pack for CANVAS. Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow
Security Information and Event Management (SIEM) – Trend, Challenges and Solutions
Immunity CANVAS is heavily Quality Assurance (QA) and on a monthly release cycle, however a select number of Immunity’s clients rely on up-to-the-minute vulnerability information as Immunity produces material, where the windows of knowing vulnerability and exploit exist is important for those who are working based on that basis. Immunity is often first to market
Tagged under: ,
The Silent Killer: Downtime

CANVAS Latest Build and Release

CANVAS Latest Build and Release, all in single post. This is a very common ask and keep update post, latest on top, and old just behind the latest information. Instead of creating multiple posts on different dates, we combine all in one, easy for reference for the same edition and build history and feature implementations
Tagged under:
This is routine hour long technical overview, highly essential and recommends for existing customers who are intent to addon to Immunity Canvas & Exploitation Pack, to know how it is workings and covers all the latest build release feature, as well as cover frequently asks questions (FAQs), it need to be use with CANVAS Exploitation

CANVAS Product Overview

Immunity’s CANVAS is one of the leading and trusted vulnerability assessment and penetration testing (VAPT) tools in the commercial market. It is commercial software well known for being offensive in nature, cross platform, adopted widely by penetration testers to conduct exploitation testing (usually with the extensive range of Canvas Exploitation Pack CEP addon) to perform
This is archived of the webinar conducted on 2020-Jun-18 10 am – 11 am for registered participants. For those who missed it, feel from the record of the session below. This is routine hour long technical overview, highly essential and recommends for existing customers who are intent to addon to Immunity CANVAS SCADA+ Exploitation Pack,
E-SPIN Wireless Network Security Assessment Services Overview

SILICA Product Overview

The industry de facto wireless security assessment tools and systems Understanding the vulnerabilities of your WiFi network can be challenging as users can easily create networks on demand, or even perhaps unintentionally. But as recent events have demonstrated, scanning your WiFi network is an important part of understanding your security posture. Most vulnerability assessment tools
E-SPIN Group Malaysia is pleased to deliver a custom 2 days training session accordingly to UUM penetration and exploitation testing with CANVAS via partner during 2019 Oct 29 and 30, at UUM IT. Most of enterprise is stop at performing vulnerability assessment (VA), whether on pure automated basis and without looking into how to validate
Tagged under: ,
With security researchers at Kasperksy Lab recent uncared a sophisticated cybercrime outfit called Dark Tequila, which targets banking customers in Mexico and other Latin American nations. Dark Tequila malware just uncovered exist since 2013, with all the antivirus house and platform of sophisticated technologies being deployed and make every endpoint and server being protected. Kaspersky
E-SPIN please to announce for the following latest round of the Immunity CANVAS and SILICA, CANVAS Exploitation Pack update and upgrade for the following related product lines compiled from the various technical resources for easy reading in one go: D2 Elliot Web Exploitation Framework 1.14, August 7 2018 D2 Elliot has been updated with 11
E-SPIN Data Center Site Cleaning
For those who subscribed with CANVAS Exploitation Pack (CEP) for CANVAS Pro, be note for the following CEP updates that may applicable to your case. SCADA+ 1.71 ver. of Scada+ contains 4 modules. List: – UCanCode ActiveX UCCPrint Control Remote Code Execution Vulnerability [0-Day] – Saia PG5 WebEditor 8.3 – Code Execution Vulnerability [0-Day] –
INNUENDO – An Advanced Penetration Testing tool for modeling Advanced Attackers Immunity provides a premiere suite of software and network security assessment tools that cover every phase of your offensive information security life-cycle. From tip-of-spear exploitation through CANVAS and SILICA, to long term Nation-State grade persistence with INNUENDO, the Immunity product line up will keep
Types Of Database Performance Management Software

Innuendo Product Overview

INNUENDO Product Overview : Ensuring your intrusion detection investments You’ve spent hundreds of thousands of dollars on state of the art intrusion detection solutions for your Enterprise…but is any of it actually effective? Enter INNUENDO, a sophisticated post-compromise implant framework that models advanced data exfiltration attacks on your enterprise. The philosophy behind INNUENDO is simple:
WhatsUp Gold Application Perfomance Monitor (APM) Technical Overview

CANVAS Exploitation Pack (CEP)

One of core strengths for CANVAS  exploitation addon pack (CEP) and penetration testing is it extensive 3rd party exploitation addon/ plug in pack available for extend the functionality or assist in the specific niche exploitation. For those customer who need to perform advance and highly complicate exploitation, you can always depend on the addon pack
E-SPIN Group of Companies Enters into Partnership with Netsparker

E-SPIN and Immunity

E-SPIN and Immunity have actively in promoting full range of products and technologies as part of the company Vulnerability Management solution portfolio – for vulnerability and exploitation testing, research, development. Immunity was founded in 2002 and was immediately noticed for its breakthrough technologies and industry recognized team. Immunity has since evolved into a global leader
Tagged under: