Penetration Testing mailing list archives
RE: Wireless Pent-Test
From: "Artes, Francisco" <francisco () ea com>
Date: Mon, 6 Oct 2003 08:31:36 -0700
Testing WEP is pointless, it has been done ad nausea and always proven to be trivial. There are countless free tools that allow you to do it. If this is for home use have them turn WEP and MAC Address filtering on. This isn't necessarily going to make them all that secure, as it takes about a gig of sniffed traffic to crack their WEP and anyone can spoof a MAC address to gain access... This does set them apart from their other neighbors and frankly the tasks of cracking the WEP And spoofing the MAC may cause the wood-be hacker to just go to the next house. E.x. I am in a neighborhood with a WAP in every other house on my block... I am the only one running WEP/MAC filtering... If it were me sitting in a car I would just connect to the other houses and get what I want and go. You need to secure access to your protected network. So your VPN is still the key here for your own security, and practices. If you have a challenged authentication VPN that uses strong encryption you should be fine. No one is going to crack that, and if it is the only way they can connect to the office from home via their cable modems then you are golden. How they access their cable modems is really their issue. You can "require" them to run a home firewall and set regulations on how they setup their WAPs, but frankly how are you going to audit that? "yes officer, I am sitting here in front of Mr. Smith's house collecting his wireless network packets to make sure it is 128 bit encryption... I really need to stay here for a few more hours." ;) Then what, drive all around your city doing it to every employee's house? You could do something fun and setup the WAP at your office and then issue them to the employees... But this still isn't going to guarantee they don't stop by their favorite electronics store and buy one of their own for less then $100. Just make sure all communication with your office is encrypted. E.g. either it all goes through the VPN or SSL on webmail, SSH vs. Telnet, SCP vs. FTP, SSL POP and IMAP, etc when using extranet devices. These things will prevent your employee from having their data sniffed and passwords found on a public network. Remember they may start using the local Hot Spots once you let them have WiFi cards... There are all kinds of people lurking there running sniffers collecting what information they can. FYI A WAP is not a router... It is a bridge and a HUB. (As it is basically two separate network devices.) You bridge the wired network to the wireless network, and the wireless network is a repeated/broadcast system like a HUB. (Thus allowing you to sniff all the traffic.) Setting up WiFi at the office should be quite similar to this. You place all the WAPs on an non trusted (DMZ) network off of your internet router. Then require users of that WiFi network to create VPN connections to access your trusted network. (Just as they would from home, or on the road.) These WAPs you control, and this should be good enough no matter what industry you are in. You can even set WEP and MAC filtering. I would suggest 802.1x or IPSEC if your WAP will allow it. Again insure that all communications to the secure network are encrypted, they will all sit inside an encrypted tunnel so this is somewhat done for you already. For extra protection set the ACLs on your firewall/router to prevent this non trusted segment of the DMZ from accessing the Internet or anything really other then your VPN server. Thus you will force all traffic to use the VPN, and if someone does hop onto the network they will probably get bored and stop trying to use it. As you can see, you are trusting the VPN in both cases. It is the conduit that is going to be used to access your data, not the WiFi network. Just as their cable modem connection (as mega non secure as it is) is not tested because you are depending on the VPN. -----Original Message----- From: Cesar Diaz [mailto:cesadiz () yahoo com] Sent: Saturday, October 04, 2003 20:16 To: pen-test () securityfocus com Subject: Wireless Pent-Test Remote users in my company have been begging for permission to use wireless NICs in their laptops for awhile now. When they are not on the road, most of them work from home and would like to be able to use their laptops anywhere in their house. Due to our industry and business requierements, we have to document every process and method used to access our data and prove that we've tested the security of our data.In order to let the users go wireless I have to show that I've tested the security on a wireless network. Our idea is to let the users buy wireless routers to connect to their cable/dsl routers and then wireless PCMCIA or USB cards on the laptop. We would implement 128 bit WEP security to prevent unauthorized access. I realize that WEP does not provide for stringent security, but we feel that by forcing users to change their WEP key regularly we can meet our requierements. My question is, how do I test WEP and document wether or not it's secure? Any way to sniff for WEP keys, or to brute force attack a WEP session? If there is, how hard is it to set up? How much of a risk of a wireless connection with WEP enabled to be comprimised other than a dedicated, brute force attack? Any information is greatly appreciated. Cesar ------------------------------------------------------------------------ --- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- Re: Wireless Pent-Test, (continued)
- Re: Wireless Pent-Test Michael Sierchio (Oct 07)
- RE: Wireless Pent-Test Christopher Harrington (Oct 06)
- Re: Wireless Pent-Test Raistlin (Oct 07)
- Re: Wireless Pent-Test Cedric Blancher (Oct 08)
- Re: Wireless Pent-Test Raistlin (Oct 08)
- Re: Wireless Pent-Test n0g0013 (Oct 07)
- Re: Wireless Pent-Test goat (Oct 06)
- Re: Wireless Pent-Test Gregory Spath (Oct 06)