Penetration Testing mailing list archives
RE: Wireless network assessment
From: "Martin Walker" <martin.walker () ctg com>
Date: Wed, 29 Oct 2003 11:16:41 -0500
I think you will first need to determine what your metrics are and then how to measure them. I generally use the following metrics. NOTE: These are notes about a security assessment process NOT a pen test. Which is what you appear to be asking about. As I am sure you are aware, the two are very different processes. 0) (achieved through interview process with client) is the architecture secured appropriately? Measurements include what is the purpose of the wlan (public hot spot, pt-to-pt between buildings, client access to sensitive data for pda etc) how devices and clients authenticate to the network? How does the network authenticate to the device? How is traffic flow controlled to/from the wired network? What are the management processes for wireless devices? How is traffic from different client types associated with the same access point separated and controlled (imagine a laptop/pda mobile only w/in a specific area, a robot that travels the campus and a voip wireless device all associating with the same ap)? How are non-authorized, non-recognized devices handled during association attempts? 1) how easy is the network to discover? Measurements include is it cloaked, does the ssid divulge information about the owner, is there enough signal strength in public access areas (or in the case of shared building environments, non-client controlled areas) for reception of traffic? 2) how easily can the captured traffic be viewed/used? Wep, eap/tls (or some permutation), client vpn. Some combination. 3) how easy would it be to attack/penetrate the network? If vpn, what non-vpn encrypted traffic can be captured (usually there is a lot, way more than is safe), can the clients be attacked and a piggyback attack made. If wep, are weak packets captured? At what rate? Estimate time to crack based on traffic flow. 4) how easily can the network be connected to and how easy is it to do it anonymously? Can I associate with access points? Is there sufficient signal coverage to do so from an anonymous public area (ie if I have to enter the client premesis, sign in with receptionist, sit in waiting room next to guard station the network is much safer than if I can connect while sitting in my car in a busy public access parking lot)? 5) once connected, what level of access do I have? Can I connect to management interfaces on the access points? Is the network dhcp? Can I connect to other wireless devices? Can I connect to arbitrary ports on internal machines? Can I connect to the internet? -----Original Message----- From: Andres Martinez [mailto:artiman () cable net co] Sent: Monday, October 27, 2003 5:49 PM To: pen-test () securityfocus com Subject: Wireless network assessment I'm ready to perform my first wireless security assessment, I have some experience performing wired security assesments, more than the tools that are available to perform the scan, I'm concern for the testing methodology and procedures since I believe that the nature of the wireless world it is totally different, can somebody point me to the right direction thanks Andres --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Wireless network assessment Andres Martinez (Oct 27)
- Re: Wireless network assessment c0ded (Oct 28)
- Re: Wireless network assessment Javier Fernandez-Sanguino (Oct 30)
- <Possible follow-ups>
- RE: Wireless network assessment Martin Walker (Oct 30)