BackTrack 5 Wireless Penetration Testing Beginner's Guide [Paperback]

After reading the first 3 Chapters I thought "wow this is great" - and I still do think that, but after a while I became a bit fed up of reading that a certain subject was beyond the scope of the book or it asking you to look further into a certain backtrack tool. I appreciate that you have to learn to think for yourself but the whole reason why I buy a book is so that it pulls everything together and things that are understandably beyond the scope of a book should be well referenced so that you can then spend some time searching these references online - for nearly £30 I would expect this from a book.

However, apart from a poor reference section this book is great! I set up the wireless lab that the book recommends although I would suggest you buy the alfa AWUS306NH which supports the "new" 802.11n network instead of just the old b and g networks which the suggested card in the book only supports. Backtrack 5 R2 now has the support for the new alfa card and there is no problem with injection. I would highly recommend that you set up this wireless lab and buy the wifi router as it allows you to see first hand how an Acess Point (AP) is affected. It also enables you to check that you are doing things correctly, for example, if you set up a WPA AP with a very short easy dictionary password but you are unable to crack the password then you know you must be doing something wrong. It is also good to log into your wifi router and see the connections and logs that are left behind. (I bought the D-Link Wireless N Router.)

This is a simple step by step guide with accompanying screen shots - I would advise you to follow the commands on the screen shots as there are some typos in the book, for example, when it asks you to type in the name "Wireless Lab" it sometimes misses the quotes ("") off resulting in the command not working, but on the screen shot it appears correctly as "Wireless Lab" (you will understand this when you come to do it!).

The basic tools used are Aircrack and Wireshark and there are some very good basic commands and filters for these programs in the book and it pulls these two programs together to work hand-in-hand. There is a lot of time spent on WEP and creating your own open WEP access point for your wireless lab - I would just be careful if you do this as I had some neighbours sniffing about my open WEP! Although WEP is becoming obsolete you will be amazed how many people still use it and how relevant it is. The book then proceeds onto WPA and looks at how to crack passwords (again some decent references here would have been great). The learning curve of the book progressively increases with more in-depth penetration testing.

There is a good section about changing the region of your wifi card so that you can select a different range of channels or greater power, for example, the alfa card I have defaulted to 20dBm but when I changed the region of the card I could then increase the txpower of the card to 30dBM - of course there are lgal limits for your own country but you do need to know how to do this if you travel abroad.

All-in-all this is a great book. For the price I would expect more and better references, however, I am very glad that I bought this book and would highly recommend it as the first step in learning penetration testing and as a means of securing your own wireless system!

I hope the author does another book - maybe for the intermediate/advanced user with more references at the end of each chapter - I for one would certainly buy it.

Disclaimer: I have received this book from the publisher for special review. And author is good friend of mine. However the review remains genuine and unbiased.

This book is highly technical & written completely from practical perspective. To get the best out of this book you need to parallely follow it up with your own setup as shown in first chapter. And at the end of it, there will be one more Wi-Fi ninja in the air.

Here is the complete chapter by chapter review,

First chapter starts with the famous line from `Abraham Lincoln' pressing on the importance of setting up the play ground,

"If I had eight hours to chop down a tree, I'd spend six hours sharpening my axe."

It lists both hardware/software requirements with 2 Wi-Fi enabled laptops, one injectible Wi-Fi card (Alfa AWUS036H) & a access point. Some more listing of alternative injectible Wi-Fi cards would have been better though. It is often difficult to get the right one especially for those who are outside USA/UK. In my initial days of wardriving, I remember waiting for entire year to get my first injectible USB dongle. And without the right card, you are on the back foot as you can't perform most of the attacks.

Remaining portion of first chapter shows how to install BackTrack, Setting up access point and wireless cards in detail with screenshots. Next one explains in brief about wireless frames and shows how to capture the Wi-Fi packets in the air and inject your own packets using Alfa card.

It goes more interesting with chapter 3 showing how to bypass various wireless security restrictions such as hidden SSIDs, defeating MAC filters, bypassing WEP authentication etc. Next it shows how to really crack those 128 bit WEP keys using aircrack-ng tool. Finally it describes how we can use these cracked WEP/WPA passphrase to decrypt wireless data packets and directly connect to WEP/WPA network.

Chapter 5 explains various Denial of Service (DoS) attacks including De-Authentication, Dis-Association, CTS-RTS attack & spectrum jamming. It also shows how one can perform `Evil Twin' attack against legitimate Access point and how to setup rogue access point to gain backdoor entry into the network.

Often the weakest point lies at the client side, so the chapter 6 goes to describe all those attacks one can perform on wireless clients including Honeypot and Mis-Association attacks, Caffe Latte attack, De-Authenticaton and Dis-Association attacks, Hirte attack, AP-less WPA-Personal cracking etc. Next one shows how to perform wireless based Man-in-the-Middle (MITM) attacks and then use it for sniffing and hijacking of user sessions.

Chapter 8 focuses on WPA-enterprise based attacks such as exploiting the weakness in PEAP, EAP-TLS protocols. It ends with recommendation on secure wireless configuration using `WPA2-PSK with a strong passphrase' for smaller/medium size organizations and `WPA2-Enterprise with EAP-TLS' for larger organizations.

Final chapter touches very briefly on pen testing methodologies and then goes more into wireless pen testing using the attacks explained in previous chapters. It starts with step by step of discovery of wireless devices, finding unauthorized clients, rogue access points and then cracking the wireless encryption using the attacks demonstrated in previous chapters.

Highlights of the Book

* Very well written and enjoyable to read
* Practical and includes latest stuff from wireless field
* Every attack technique is very well shown with complete technical details and illustrative screenshots.
* Includes action items for reader to explore more and gain more expertise
* Pop Quiz at the end of each chapter ensures that you were not dozing off

After reading this book completely, one thing is sure that you would like to change its title from "Beginners guide" to "Not just Beginners guide". Even though its his first book, I am amazed with his style of writing and `connecting with reader' mentality making it easier to grasp and enjoyable to read on.

And here comes the final verdict,

"Written by wireless expert, this book goes beyond the words and highly recommended to anyone willing to master Wi-Fi Kung Fu."

This book walks you through the essential wireless protocol vulnerabilities very well, first by setting up a lab to test the theory in the book, and then by building on your knowledge piece by piece; each time with practical exercises to complete. This well written book WILL allow the beginner to gain a good awareness of wireless security issues. A great grounding for taking your studies to the next level..
I would have liked a greater range of tools to have been covered but this could complicate matters and detract from the real security material so ultimately I am glad the author resisted this and stuck to their progressive chapters - which essentially follow the following pattern - theory, do, pop quiz & summary. I personally learn better by doing and this book does not leave it too long before investigating the theory with a practical exercise - Highly recommended.