Re: [PEN-TEST] Penetrating Wireless Networks

[Marnix Petrarca <Marnix () DAEMONLABS COM>]

Frank,

assuming we know nothing about the target except that radiowave lan is
used.. go outside in, based on an initial reference from the inside
out. Cell metrics vary with construction circumstance, i.e. a concrete
room thick enough will actually create a tunnel of radiosignals, so
you might just want to mention what the spec say. It radiates
differently, and even weather can affect these things. That will
anyway malform your mapping of cells so you may just want to establish
the effective signal receivable in meters distance, maybe with a
degradation ratio. With a frequency-searcher you can grab the used
frequencies in a snap, to seen how channels are chosen or switched.
Since you are penetrating, the hard way would be to hook up a hardware
protocol-analyser to a scanner with a signal-strength indicator, and
first decipher the protocols used. This is phase one.
Next you could (based on constructional limitations) predict where the
laptop with receiver would have to be to be effective (maybe a
lunchroom across the street), etc.
There is something as foil that can be applied to walls (I will start
using in the coming months) since there is the Van Eck-effect (I
believe that's the Physics name), with which you can pick radiowave
emitted from monitors and electron-tube-based apparatus, so even
windows (panes) become important.

This can bypass the entire theme and do the work for me in parsecs..
And civil GPS is still too inaccurate for these metrics btw, I thought
it was 3.5 mtrs accurate as opposed to 35 cm military?

Think about Van Eck - you might want to include this in your approach.
Let me digg for some beautifull brochures of some industrial hardware
protocol-analysers I have had and plan to acquire. I picked them up at
a specific security-event a year ago.

And the laptop part is of course phase two. You're allready having
lunch;-)

Bye now -- Marnix

DaemonLabs.com -- The Netherlands.






Frank Knobbe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > There was some interesting information on 802.11 and 802.11b [...]
>
> and
>
> > i have found a paper on wep weaknesses [...]
>
> is really not what I'm interested in. I'm aware that WEP has
> shortcomings and can be brute forced due to limited key size. I don't
> want to test the security of the standard. I was hoping to receive
> some responses on how you include wireless networks in your
> penetration tests, and what methods do you use. Driving through the
> neighborhood with a scanner and GPS receiver is one thing, but this
> appears more like something you would do as a hobby :)
>
> Thank you for the reference to AiroPeek. This seems like a great
> product. From what I understand it will basically set the card in
> promiscuous mode (which apparently a lot of wireless cards don't
> support), and display raw data, revealing the channels used and ESS
> ID's. With that information you can then reconfigure the NIC for
> those settings and use your favorite security tools to try to gain
> entry to the network.
>
> But how do you package it? Is is part of the remote test section, or
> do you include it in your physical test section? Do you start inside
> the company and work your way out to determine the size of the cells,
> and where a third party might intercept data? Or do you start form
> the outside and work your way in? If at all, how do you include it in
> your standard pen test? How does an office environment differ from a
> manufacturing plant or a campus? What are the goals (besides
> 'penetrating' the network) and what are the reports and/or
> expectations? Do you delivered a map of the cell ranges and discuss
> the risks?
>
> Regards,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
>
> iQA/AwUBOqfi+pytSsEygtEFEQJGuACcDWpYyAdYesWOiglEfm+H7hHAjYwAn3LI
> FXPAbTNk+1wqKDsffOVDTULp
> =6kbA
> -----END PGP SIGNATURE-----