Penetration Testing mailing list archives
Re: [PEN-TEST] Penetrating Wireless Networks
From: Ichinin <ichinin () swipnet se>
Date: Sun, 11 Mar 2001 14:15:40 +0100
Hi. Frank Knobbe wrote:
I know the technologies are rather new compared to wired networks, but does anyone have and pointers for penetration tests of wireless networks, 802.11b in particular?
None that i've heard of that do not already exists for ethernets that you could use.
In my opinion, with the advance of wireless networks, this will be a very important part of pen tests. Has anyone developed any methodologies for such tests? Are there any tools available that assist in testing wireless networks?
I've written a portscanner for the RLAN capable PocketPC's (Mips) and a bruteforce password guesser for the Symbol Access Points. But those tools are hardly usefull for anything but toying around.
For example, one is able to run tcpdump and other goodies on the wireless card just like on regular NIC's.
Yes, it's just as a normal network.
However, in order to gain access to the WLAN, one must know not only the WEP encryption key (if WEP is used), but also the ESS (network identifier), preamble length, and channel number.
One idea you could try: Place a AP with the ACCEPT Broadcast ESSID option turned on and a sniffer and use the same network type (IP's etc) ESSID is not hard to guess since alot of default installations exists out there i.e. ESSID "101" (A leftover from the Spring protocol) A note on WEP: Do not use it. Since static keys are used, the risk of someone mounting a statistical cryptanalytical attack on WEP (as the WEP Faq may have pointed out) are big. Some of the older AP's are still shipped with 40 bit security. Some of the cryptokeys are world readable in the registry on the systems that have RLAN Nics installed, which is a big mistake. So, dont just look at the hardware (Ok, do some SNMP & default password checking) you need to look at the software side as well. Frequency hopping is security through obscurity, the hopping sets are too predicable, i.e. the next frequency MUST be at least 3 frequencys up or down the list (subtract 7 frequencys out of 83). There are also only 3 Main sets of frequencys and IIRC 25 subsets of those, totalling ~75 frequency sequences. Regards, Glenn aka "Ichinin"
Current thread:
- [PEN-TEST] Penetrating Wireless Networks Frank Knobbe (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Mark Seiden (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Max Gribov (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Robert Stonehouse (Mar 08)
- Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks van der Kooij, Hugo (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Weiss, Bill (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Anton Rager (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks mirza sahib (Mar 11)
- Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 12)
- Re: [PEN-TEST] Penetrating Wireless Networks Marc Mosko (Mar 12)
- Re: [PEN-TEST] Penetrating Wireless Networks Ichinin (Mar 13)
- Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Penetrating Wireless Networks Frank Knobbe (Mar 08)
- Re: [PEN-TEST] Penetrating Wireless Networks Marnix Petrarca (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Clarke, Matthew J (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Bourque Daniel (Mar 13)
- Re: [PEN-TEST] Penetrating Wireless Networks Matteo,Marc A. (Mar 13)
- Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 14)