Penetration Testing mailing list archives
Re: [PEN-TEST] Penetrating Wireless Networks
From: Mark Seiden <mis () SEIDEN COM>
Date: Wed, 7 Mar 2001 11:32:52 -0800
(be careful: it's just a matter of time before the first fatal accident involving use of wireless sniffers while driving... i have termed this "war driving".) a useful tool for win2k is wildpackets "airopeek" wireless sniffer. it has just come out of beta, and the beta version only supports the cisco 340 family NIC, due to modified NDIS drivers. with this running on my laptop while i drive i usually pick up an access point per mile or two, even at > 60 mph with no special antenna. you can see the wireless frames including 802.11 beacons, which contain the name of the access point, the channel and whether WEP is in use, as well as all of the MAC addresses of talking interfaces, and a signal strength indication so you can figure out which way to go. if you supply the wep keys, it will decrypt. it's a useful sniffer ... but: it does not produce frames in tcpdump format. you need a separate utility for that. also, it's EXPENSIVE: $1995 plus maintenance. aargh. (i got the beta for free...) (maybe they need more competition... from something free?) regarding general sniffing of WLAN: choice of antenna is important, by the way, if you want to do "war driving". (peter shipley recently mentioned he had a gps hooked up to a sniffer as well, so he records an location when the frames were received ...) you don't need the SSID. it provides no value anyway (since you can use the ALL value). but you can see it in the 802.11 beacons, and with WEP it gives a clue to the organization owning the access point (without WEP their email and web surfing is a much better clue...). it does not appear that MAC-based access control (which some access points have) is entirely useful, since you can change your MAC address on some interfaces to spoof that of some NIC you've seen successfully talking. 802.11b WEP provides little value (regardless of key length chosen) due to the reuse of the keystream, the lack of dynamic rekeying, and the possibility of known plaintext attacks. you have to record a few gigabytes of WEP data traffic to launch this attack, though, and i don't believe anyone has yet automated the exploit. (this has been known by members of the 802.11 committee for at least a year, more like two...) (802.11e is trying to fix this, and cisco has announced an 802.1x implementation for the 350 card which seemingly complies with the compromise proposal in the 802.11 committee). as a separate issue: some of the wireless access points ship with naive ideas about administration and maintenance. (run nmap against an access point...) the smc and addtron access points, which use code licensed from a little company in ontario, neesus, have an open service (a listener for a no longer available proprietary and undocumented administration utility) which does nothing (they say -- we shall see), a web server for configuration with an unchangeable user "default", and a default password (which is changeable, at least). there are also strings in the access point binary image which make me wonder about back doors -- neesus says they can't explain them and maybe they're from the development environment they use. it's the wild west out there... On Tue, Mar 06, 2001 at 07:23:22PM -0600, Frank Knobbe wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I know the technologies are rather new compared to wired networks, but does anyone have and pointers for penetration tests of wireless networks, 802.11b in particular? In my opinion, with the advance of wireless networks, this will be a very important part of pen tests. Has anyone developed any methodologies for such tests? Are there any tools available that assist in testing wireless networks? For example, one is able to run tcpdump and other goodies on the wireless card just like on regular NIC's. However, in order to gain access to the WLAN, one must know not only the WEP encryption key (if WEP is used), but also the ESS (network identifier), preamble length, and channel number. Are there any tools that provide automation of changes for these values (for an automated scan)? Are there any tools for 'low-level' 802.11b data examination (i.e. preamble checking/display, etc)? Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOqWNiZytSsEygtEFEQJ2oQCg4/opiTBaIeIx1TeJhnJ8ZtJ8SdAAoK2M uEjKyVpUpTsC9ci2eJ++DA+N =C3F0 -----END PGP SIGNATURE-----
-- mark seiden, mis () seiden com, 1-(650) 592 8559 (voice) Pacific Time Zone
Current thread:
- [PEN-TEST] Penetrating Wireless Networks Frank Knobbe (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Mark Seiden (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Max Gribov (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Robert Stonehouse (Mar 08)
- Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks van der Kooij, Hugo (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Weiss, Bill (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Anton Rager (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks mirza sahib (Mar 11)
- Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 12)