Penetration Testing mailing list archives
Re: Wireless Pen-test
From: Maarten Van Horenbeeck <maarten () daemon be>
Date: Sat, 20 Dec 2003 17:58:34 +0000 (GMT)
Hi, Even though the list has now been closed, and this message will only go through in the beginning of January, I still wanted to respond to this post about wireless penetration testing/security assessments, as this is a new, but interesting subject, which has not yet seen a lot of coverage on this list. In my humble opinion, wireless security testing should always commence by charting of the coverage area of the wireless network. Most companies introduce many security measures on the enforcement points between wireless and wired networks, which is a good thing, but tend to forget entirely about the much wider coverage area of their wireless network. More important here, is that most companies do not realize that in the specific case of wireless networks, distance equals time. Organisations are now starting to realize that it is impossible to maintain a near perfect security posture when growing beyond certain size barriers. In such cases, the response times to a security incident is of primary importance. Problem here, induced by the increased use of wireless networks, is that if an external attacker is located far away from the actual point of compromise, and is less traceable than e.g. through a modem connection, it becomes much more difficult to succesfully intervene in such a compromise within the time allotted. Keeping this in mind, I would make the first step of each wireless security test a simple service area calculation exercise. An interesting project which closely relates to this field can be found at http://www.ittc.ku.edu/wlan. During most of these tests however, even seasoned security professionals seem to forget that a coverage area is highly linked to the network equipment in use. They will tend to calculate signal strength using regular networking equipment. Alas, there is a large quality and reception difference between different brands of network cards and antennas. Instead of calculating signal strength, in order to have a good view of the coverage/service area of a wireless network, you need to calculate the field strength; which ofcourse requires different equipment, and, most important, a different approach. While obviously less pleasant than driving around the building in your company car with that nice looking antenna on the roof, the field strength is actually measured close to the access point antennas, and then extrapolated onto an area map using mathematical formulas. Using these techniques, it becomes easy for you to assess which areas of the network surroundings would be at risk for unauthorized traffic analysis. Luckily, what you are trying to to communicate to your customer here is that he should introduce measures which prevent wireless emissions from leaving his corporate site. Such measures are not directly related to quality of remote network devices, as they are based on e.g. the installation of outbound directed jammer devices, the use of equipment in wall design which will prevent penetration by radio waves. An entire procedure on how to conduct such testing is very well described in the OSSTMM document which you mentioned. Only after the above charting phase has been completed, there is a need to further assess network vulnerabilities themselves. No doubt you will notice that there are little "technical" procedures available. This is very understandable, as the field is still fairly new, and most people will still (correctly) consider security/penetration testing an art. Security testers which do not develop their own methodology and technical "knowledge base", will never be able to deliver the same quality of service as those who do. If you are looking for commercial software, which eases up the task of performing a wireless network assessment, you may be interested in ISS's Wireless Scanner, which automates much of the work required for a correct and in-depth assesment. Personally, I usually tend to go for a combination of tools, which include dstumbler and regular network mapping tools such as nmap/hping. Let me know if you need any further information. Best regards, Maarten -- Maarten Van Horenbeeck maarten () daemon be --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Wireless Pen-test e247net (Dec 19)
- RE: Wireless Pen-test Dave Sanford (Dec 20)
- Re: Wireless Pen-test Alvin Oga (Dec 20)
- RE: Wireless Pen-test Travis Potter (Dec 20)
- <Possible follow-ups>
- Re: Wireless Pen-test Maarten Van Horenbeeck (Dec 20)