Re: [PEN-TEST] Penetrating Wireless Networks

[Frank Knobbe <FKnobbe () KNOBBEITS COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> There was some interesting information on 802.11 and 802.11b [...]

and

> i have found a paper on wep weaknesses [...]

is really not what I'm interested in. I'm aware that WEP has
shortcomings and can be brute forced due to limited key size. I don't
want to test the security of the standard. I was hoping to receive
some responses on how you include wireless networks in your
penetration tests, and what methods do you use. Driving through the
neighborhood with a scanner and GPS receiver is one thing, but this
appears more like something you would do as a hobby :)

Thank you for the reference to AiroPeek. This seems like a great
product. From what I understand it will basically set the card in
promiscuous mode (which apparently a lot of wireless cards don't
support), and display raw data, revealing the channels used and ESS
ID's. With that information you can then reconfigure the NIC for
those settings and use your favorite security tools to try to gain
entry to the network.

But how do you package it? Is is part of the remote test section, or
do you include it in your physical test section? Do you start inside
the company and work your way out to determine the size of the cells,
and where a third party might intercept data? Or do you start form
the outside and work your way in? If at all, how do you include it in
your standard pen test? How does an office environment differ from a
manufacturing plant or a campus? What are the goals (besides
'penetrating' the network) and what are the reports and/or
expectations? Do you delivered a map of the cell ranges and discuss
the risks?

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOqfi+pytSsEygtEFEQJGuACcDWpYyAdYesWOiglEfm+H7hHAjYwAn3LI
FXPAbTNk+1wqKDsffOVDTULp
=6kbA
-----END PGP SIGNATURE-----