Re: Wireless Pent-Test

[Gregory Spath <gkspath () armstrong com>]

The real issue is in embedded devices.  Laptops and such we can force
to use IPSec.  We do not have that luxury with embedded devices.

The manufacturers seem to be blissfully ignorant of employing anything
with reasonable security. I'm thinking specifically of barcode scanners
for factory environments. They use a simple telnet connection, and now use
802.11 as the network medium.

Yes, there are WinCE based solutions which can employ IPSec, but they are
more fragile, and of course, more prone to software problems. 
Unacceptable in a warehousing environment.

So you do the best you can with WEP and firewalls, but it is the vendors
of these embedded devices that need to start employing better security. 
At least wireless credit card reader manufacturers now are starting to use
SSL(a year ago, they were transmitting in the clear!)

Why not use SSH instead of telnet, for example?  With easily updated
firmware for when vulnerabilities are discovered.  Seems like an obvious
solution that the industry just doesn't get.

On Mon, 6 Oct 2003 14:35:00 -0400 (EDT)
"R. DuFresne" <dufresne () sysinfo com> wrote:

> there was a FD posting last week that indicated that cisco's LEAP was
> also insecure and borked.
>
> The thing is, a wireless lan should be considered untrustworthy, or at
> least untrusted, all traffic into the wired net has to be tunneled and
> safely wrapped in encryption, and  there has to be a better auth mech to
> allow the tunnel access thn what is provided in simple AP/laptop setups.
> Network Mag had some interesting articles lately, one in July
> mentioneing some newer AP gateway systems coming into play, but, they
> are not cheap, and not for small to medium biz folks.
>
> Our impression, and mirroed by lawerence livermore, wireless is not 
> ready for  prime time play.
>
> Thanks,
>
> Ron DuFresne
>
> On Mon, 6 Oct 2003, Matthew Leeds wrote:
>
> > OK, I keep hearing about how simple it is to crack WEP using a variety
> > of tools. I also keep hearing that some WLAN hardware manfacturers
> > have modified their firmware to eliminate the generation of 'weak' WEP
> > keys. Has anyone investigated this sufficiently to authortatively
> > discuss whether the 'removal' of weak keys reduces/eliminates the risk
> > of WEP? Whether it renders the current generation of tools for
> > cracking WEP ineffective?
> >
> > Some references:
> > http://www.agere.com/NEWS/PRESS2001/111201b.html
> > http://www.ydi.com/deployinfo/wp-wep-plus.php
> >
> > ---Matthew
> > *********** REPLY SEPARATOR  ***********
> >
> > On 10/6/2003 at 5:09 PM Daniel Nylander wrote:
> >
> > > Getting the WEP-key from a WLAN is "pretty" simple.
> > > Download airsnort, wepcrack, kismet and other usefull tools.. then
> > > capture enough packets to wepcrack and .. voila!
> > >
> > > Daniel
> > >
> > > ----- Original Message ----- 
> > > From: "Cesar Diaz" <cesadiz () yahoo com>
> > > To: <pen-test () securityfocus com>
> > > Sent: Sunday, October 05, 2003 3:16 AM
> > > Subject: Wireless Pent-Test
> > >
> > >
> > > > Remote users in my company have been begging for permission to use
> > > wireless NICs in their laptops for awhile now.  When they are not on
> > > the road, most of them work from home and would like to be able to
> > > use their laptops anywhere in their house.
> > > > Due to our industry and business requierements, we have to document
> > > every process and method used to access our data and prove that we've
> > > tested the security of our data.In order to let the users go wireless
> > > I have to show that I've tested the security on a wireless network.
> > > >   Our idea is to let the users buy wireless routers to connect to
> > > their cable/dsl routers and then wireless PCMCIA or USB cards on the
> > > laptop.  We would implement 128 bit WEP security to prevent
> > > unauthorized access.  I realize that WEP does not provide for
> > > stringent security, but we feel that by forcing users to change their
> > > WEP key regularly we can meet our requierements.
> > > > My question is, how do I test WEP and document wether or not it's
> > > secure? Any way to sniff for WEP keys, or to brute force attack a WEP
> > > session?  If there is, how hard is it to set up?  How much of a risk
> > > of a wireless connection with WEP enabled to be comprimised other
> > > than a dedicated, brute force attack?
> > > > Any information is greatly appreciated.
> > > >
> > > >
> > > > Cesar
> > > --------------------------------------------------------------------
> > > -------
> > > > Tired of constantly searching the web for the latest exploits?
> > > > Tired of using 300 different tools to do one job?
> > > > Get CORE IMPACT and get some rest.
> > > > www.coresecurity.com/promos/sf_ept2
> > > --------------------------------------------------------------------
> > > --------
> > > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > ------- Tired of constantly searching the web for the latest
> > > exploits? Tired of using 300 different tools to do one job?
> > > Get CORE IMPACT and get some rest.
> > > www.coresecurity.com/promos/sf_ept2
> > > --------------------------------------------------------------------
> > > --------
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > ------ Tired of constantly searching the web for the latest exploits?
> > Tired of using 300 different tools to do one job?
> > Get CORE IMPACT and get some rest.
> > www.coresecurity.com/promos/sf_ept2
> > ---------------------------------------------------------------------
> > -------
>
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
>
> -----------------------------------------------------------------------
> ---- Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> -----------------------------------------------------------------------
> -----


-- 
Gregory Spath
Network Security Analyst
Armstrong World Industries, Inc.
gkspath () armstrong com
717-396-5938

---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------