Immunity SILICA for Wireless Infrastructure Penetration Testing. Immunity SILICA is world leading commercial wireless security assessment tools (SAT) allowing penetration testing, hostile attack simulations target wireless infrastructure.
SILICA is Wireless Penetration Testing Tool
Immunity SILICA is a wireless security vulnerability assessment and penetration tool, purpose built and let wireless penetration testers focus on wireless pen testing projects, from scanning wireless networks and WiFi-enabled devices, as well as integrating a large number of WiFi specific attacks with a user friendly graphical interface.
SILICA is developed and designed to determine the true risk of Wireless networks, from WiFi access point, attempting to leverage vulnerabilities and determining what accesses behind the vulnerable access point can be compromised.
Since it is purpose built for wireless pen testing, a highly automated one-button interface for many of the actions is implemented. Typical wireless pen testing include WEP/WPA Cracking attacks to Key Reinstallation Attack (KRACK) – a man-in-the-middle attack, setup evil twin fake access point and intercept all connected wireless client, Kr00k Attack to exploit common Broadcom chipsets vulnerability, EAP Relay attack, client-side injection attack, SSL Stripping and Spoofing attack, service impersonation attack, Karma attack, Fake captive portal attack, executable replacement attack, Apple EAP-success attack, malicious AP detection, is some of the common wireless pen testing tasks can easily accomplish with the product.
SILICA address modern wireless network challenges
Understanding the vulnerabilities of your WiFi network can be challenging as users can easily create networks on demand, bring your own device (BYOD) or even perhaps unintentionally, such as create mobile hotspot to let others share the corporate wireless network. But as recent events have demonstrated, scanning your WiFi network is an important part of understanding your security posture. Since the modern cybersecurity is expanded to cover modern assets include wireless, virtualization, IoT and cloud.
Most generic vulnerability assessment tools simply take their current network scanners and point them at the wireless infrastructure or not optimize to use for carry out wireless pentesting. This approach does not give you the information that is unique to wireless networks. Immunity has built the first automated, WiFi specific, vulnerability assessment and penetration tool – known as Immunity Silica in the market.
SILICA is uniquely developed and cater for wireless infrastructure pentesting
Unlike traditional scanners that merely identify possible vulnerabilities, SILICA determines the true risk of a particular access point. SILICA does this by unintrusively leveraging vulnerabilities and determining what assets behind the vulnerable access point can be compromised.
Additionally while traditional scanners can enumerate the vulnerabilities of a particular target, they cannot evaluate whether a mitigating control is in place on the target or in the surrounding environment. With SILICA’s unique methodology it can report on whether a vulnerability can be successfully exploited.
Feature: Wireless centric all-in-one tool
SILICA is a self-contained solution that runs on a standard Intel based laptop. The SILICA software and base operating system (Ubuntu) is shipped on a bootable USB drive that enables you to run SILICA without any software modifications to your laptop. Included on the drive is partition containing a virtual machine with the same SILICA image giving you even greater flexibility and ease of use.
Highly automated, SILICA has a one-button interface for many of the actions that a security professional will want to take during an assessment, and help them save the time via one button click automation.
SILICA also implements threat detection modules that can passively scan for malicious attacks or unintentional vulnerabilities. This is particularly needed for those involved in cyber defence for the wireless landscape for the enterprise.
SILICA gathers and consolidates all information from its modules with a polished user interface designed to support a large amount of information without performance loss.
As long as SILICA is running, a background WPA handshake sniffer module will be storing the last captured WPA handshake for every AP to the file system in the /su/Reports/WPA_HANDSHAKES folder. These handshake files, stored in .pcap format, can be used by external tools for cracking, or can be used from the Key Recovery tab.
Active or passive key recovery attacks can be launched from the Discover Key submenu on the Network Listing tab. When this option is selected for a WEP WLAN, an active WEP key recovery attack using ARP injection is launched. When this option is selected for a WPA WLAN, if a handshake was not yet captured, an active deauth attack will be launched until a handshake is obtained. Once the handshake is captured, offline dictionary cracking is started to recover the key. SILICA includes a one million wordlist dictionary. SILICA also supports WPA/WPA2 brute-forcing using PMKID data. This allows SILICA to attack some access points even when no stations (clients) are present.
Feature: Key Reinstallation Attack (KRACK)
KRACK is a man-in-the-middle attack between a target access point and the target devices that try to connect to the network. When a vulnerable device tries to connect, SILICA will intercept the packets and replay them in a way that will cause the device to install an zeroed-out encryption key. SILICA will then proceed with ssl-stripping and ssl-spoofing attacks against the target device. The module supported targets are wpa_supplicant 2.4 and 2.5, and was tested on a stock Ubuntu 16.04.1 target.
To make the KRACK attack work, SILICA requires two wireless cards, as the fake access point needs to be on a different channel than the real Access Point. If SILICA is not able to initialize the second interface when starting the KRACK attack, an error message (in red in the log window) is displayed and the module stops.
For the attack to be successful, these conditions should hold:
- The target should be vulnerable to the zero-key attack (wpa_supplicant 2.4 and 2.5)
- The signal from SILICA’s card should be stronger than the real AP from the target’s point of view.
- The target should try to reconnect to the network (SILICA will not try to force the target to reconnect).
Feature: The Kr00k Attack
The Kr00k Attack exploits a vulnerability in some very common Broadcom chipsets that cause a device to send zero-key encrypted data packets for a short period of time after a deauthentic ation packet is received. This module will send deauthentication packets to trigger the vulnerability, decrypt the packets, and display them on a wireshark window. The module supports attacking a single device, or all devices connected to an access point. The module uses an heuristic based on the timing and throughput of data packets from the target to be more effective. The heuristic parameters can be adjusted from the Preferences Panel.
Note: Some Broadcom chipsets support a non-standard modulation scheme that the SILICA card does not support. It is possible that this module does not work when the target is connected to an Access Point that has some Broadcom chipsets and they are using this modulation scheme. This module was tested on a Raspberry Pi 3 target.
Feature: EAP Relay Attack & Signal strength graphs
EAP Relay Attack
- When trying to connect to a network using 802.1X authentication, SILICA will launch an MSCHAP Relay Attack if the credentials are unknown. This attack will allow SILICA to join the network after a man-in-the-middle attack on a legitimate client device trying to join the network. Only the PEAP with MSCHAPv2 authentication protocol is supported for this attack.
Signal strength graphs
- Real time signal-to-noise ratio graphs are available for both access points and stations. These can be used to better position your wireless card, or to try and find the location of a wireless device (a directional antenna could be of help in that case).
Feature: Attack and Post Exploitation Modules
- A reduced version of the CANVAS network exploitation platform to probe and attack the target WLAN is included with SILICA. In addition to a number of remote code execution exploits, authentication bypass exploits that try to access the administrative interface of the target access points are included as well.
Post Exploitation Modules
- After a remote code execution exploit is successful, post exploitation modules are run to gather information from the target: ● Screengrab: take a screenshot in the target host ● Get password hashes ● Get stored WiFi keys ● Get device information for Android devices ● Get system information
Feature: WPS Attacks
SILICA includes three WPS attack:
- WPS brute-forcing
- WPS default PINs by MAC address
- Offline brute-forcing (also known as Pixie Dust)
WPS brute-forcing is selected from the WPS > Get WPS PIN (full bruteforce) submenu. It will iterate over up to 11000 PINs. When successful, the WPS PIN and WPA shared key for the target are obtained. SILICA supports resuming an interrupted bruteforce attack against a target. NOTE: Many access points do not handle large numbers of WPS authentication events well, either as a protection or as a result of bugs, so in those cases this attack will most likely fail.
WPS default PINs are tested by either WPS > Get WPS PIN (full bruteforce) or WPS > Get WPS PIN (try only default pins). Certains access points are known to have PINs that can be derived from their BSSID, and SILICA will try these first.
Offline WPS PIN brute-forcing, also known as the Pixie Dust attack, is also attempted with any WPS attack. If successful, this attack will be very quick (less than one minute) as it does not need to try multiple PINs against the access point.
Feature: Fake AP
While scanning, SILICA will sniff for probe requests to populate this table. Each row represents an SSID probed for by a wireless device. Custom SSIDs can also be manually added by filling the text box next to the “Become custom AP” button and clicking the button.
By right-clicking a row, a variety of Fake AP attack modules can be launched using the row’s ESSID and Channel as a parameter. When running a Fake AP module, SILICA will accept connections from wireless devices trying to connect to the spoofed SSID. Network traffic from the devices (stations) will be monitored for cookies and credentials, and these are stored in the Cookie Viewer, Attack Tree and Passwords tabs.
Menu action option: Edit encryption method and parameters of the Fake AP. Edit Channel to set channel of the Fake AP. Become this network with client-side injection (Client-side Injection Attack). Become this network with ssl-stripping and self-signed certificates (SSL Stripping and Spoofing attack). Become this network with service impersonation (Service Impersonation Attack).
Karma Attack. Instead of impersonating only one SSID, the FakeAP will respond to all probe requests , trying to get as many stations as possible to connect. This option is selected with the Karma Mode (reply to all probes) checkbox. This option is available for Fake AP with open or radius authentication.
Fake Captive Portal Attack. When this option is set, HTTP traffic from each station is redirected to a fake sign-in page until the user introduces any credentials. Captured credentials are added to the Passwords tab. This option is available for Fake APs using the service impersonation module.
Executable Replacement Attack. When the Fake AP is started with the Enable Transparent HTTP Proxy option set, requests from stations to files with an executable extension done over HTTP will be intercepted and the responses replaced with backdoors. This attack works for Windows, Linux and OSX targets.
Apple EAP-success attack (CVE-2019-6203). There is a vulnerability in same Apple devices that allows an attacker to create fake access points that successfully spoof real access points for those devices by sending EAP-success messages that the Apple devices accept even before validating credentials. SILICA will try to exploit the vulnerability when creating a FakeAP with 802.1X encryption.
Feature: Attack Tree & Printer Exploitation
The attack tree shows scan and attack results in a centralized manner, grouped by network, attack type, and target. Entries are shown in a tree format. The first level are the network entries, the second level the attack type, the third level the target devices, and individual results are stored in further levels in a hierarchical manner. Entries can be folded or expanded to collapse the tree visualization. Some entries allow for additional actions to be performed by right-clicking on them. This is signaled by an icon on the Actions column.
- When SILICA finds a network printer, it will add the PJL file system to the Attack Tree. By expanding the PJL entries, you can explore directories, download files, and exploit path traversal vulnerabilities in the printer’s file system. This is done on demand and in real time, so SILICA should be connected to the printer’s network for this feature to work.
Feature: Malicious AP Detection
SILICA analyzes captured beacons and probe responses looking for possible malicious access points. Any access point possibly spoofing a valid SSID will be added to this tab with the reason that the AP is suspicious. There is one entry for each unique BSSID/Channel pair.
The color code is yellow for suspicious but probably benign configuration changes. Red is for known malicious or highly unexpected conditions.