Penetration Testing mailing list archives
Re: Wireless pentesting requirements
From: Mister Coffee <live4java () stormcenter net>
Date: Fri, 11 Jun 2004 08:37:54 -0700
On Thu, Jun 10, 2004 at 11:24:03PM +0100, Andrew A. Vladimirov wrote:
Mister Coffee wrote:On Thu, Jun 10, 2004 at 10:14:09PM +0100, Andrew A. Vladimirov wrote:Mister Coffee wrote:<<snip>> Good call that. I considered initial location part of the pen-test, but that's just me. Of course, having several antennas and cards in your kit can't hurt. Say, an intermediate gain/beamwidth antenna for finding the AP's, then a high gain narrow beamwidth antenna for the actual penetration.True enough, we also move from low to high gain in process. And, for example, using a high gain omni at the initial stage can lead to missing AP's on the top floors of a reasonably tall building etc
Yeah. We may want to take some of this off line, but I'm curious whether you've found anything that can reliably triangulate an AP's position as you're moving. eg: I get relative directions from several GPS determined points around a site, then triangulate the location of the AP on my grid. It can be done manually, of course, but accuracy depends on the reliability of your positions and the beamwidth of your LOP's.
<<snip>>Most of the wireless stuff we do involves mangling custom 802.11 frames, injecting traffic into the network without knowing WEP, accelerating WEP cracking, phishing and guessing users credentials etc. - Wi-Foo (www.wi-foo.com) describes it all pretty much. For all of this, open specs for both firmware and drivers are vital.Good reference site, definately.We hope that a forum there will become a good site for intelligent wireless pentesting discussion. Btw, been to your site too, thanks for PsiFur, already installed it even though those days I have no time for IRC :(
I'll have to delve into the site more. I've got a fairly deep interest in the radio aspects of the technology. And glad you like the PsiFur. Just a mite bit annoyed that they dropped perl as the scripting language. Haven't had a chance to port it to C.
I should see about compiling a list of good antenna sites for those who are interested. There's some sweet commercial gear, but it's expensive. You can build some very nice home brew antennas, of course, there's a lot of good information on antenna design (there's a number of places to get the calcs for building a Yagi, for example), but not much -inexpensive- test gear in that range, or information on coupling, that I've seen.That would be a good idea and should probably include a list of equipment to test gain, VSWR etc for DIY antennas. I've seen so many people bragging about their cantennas and always asked them how did they estimate the actual gain and beamwidth...
I'm still looking for decent kit for working in the 2.4GHz that doesn't cost more than my car. Working at the lower frequencies, you can get a lot of gear at reasonable (<$300) prices. Unfortunately, once you gt over about 440MHz, the test equipment becomes expensive quickly. It's certainly possible to get relative numbers by using the signal strength "meters" that come with most of the cards. But the accuracy is suspect. Details are probably better taken off-list. Doubt most of the pen-test crew are -that- interested in finding ways to quantify home-brew antenna performance.
You'd be amazed at the range you can drag out of a 2M dish...You forgot a 2W bi-amplifier and 500mW Demarctech AP :) The only possible side effect is KFS (Kentucky Fried Sysadmin)...Well, if I leave out the 2 watt amp, I'm less likely to have Uncle Charlie knocking on my door. At least in the US. Of course, being licensed in that band helps ;) . . .Who cares, you are missing so much fun... with such EIRP you can blast Uncle Charlie away ! :) Have a look at what some nutty people do:
I don't know about that. High gain and -any- amp will probably put you over their threshold for annoyance. The Amp alone puts you over the power limits for a Part 15 device. :) (Re-reading 15.109 and 15.209, they test for signal strength of n microvolts/meter at x range. Here, above 960MHz, it's 500mV/M at 3M. It jumps to 2500mV/M in the 10GHz+ range, per 15.249. - I may be missing something though regarding the use of high gain antennas. I was under the impression that the FCC was concerned with actual signal level for type certification, rather than ERP.)
http://www.svbxlabs.com/pages/projects/index.php?cat=ER
Oh, I see a lab explosion in the near future...
802.11i won't help...Cheers, Andrew
Cheers, L4J
Current thread:
- Wireless pentesting requirements mak_pen (Jun 07)
- Re: Wireless pentesting requirements Mister Coffee (Jun 09)
- Re: Wireless pentesting requirements Andrew A. Vladimirov (Jun 10)
- Message not available
- Re: Wireless pentesting requirements Andrew A. Vladimirov (Jun 10)
- Re: Wireless pentesting requirements Mister Coffee (Jun 10)
- antenna - Re: Wireless pentesting requirements Alvin Oga (Jun 11)
- Re: antenna - Re: Wireless pentesting requirements Mister Coffee (Jun 11)
- Message not available
- Re: Wireless pentesting requirements Mister Coffee (Jun 11)
- Re: Wireless pentesting requirements Andrew A. Vladimirov (Jun 10)
- Re: Wireless pentesting requirements Mister Coffee (Jun 09)
- <Possible follow-ups>
- Wireless pentesting requirements pen-test (Jun 09)
- Re: Wireless pentesting requirements Andrew A. Vladimirov (Jun 09)
- Re: Wireless pentesting requirements Andre Ludwig (Jun 14)
- Re: Wireless pentesting requirements D'Amato Luigi (Jun 15)
- Re: Wireless pentesting requirements Andrew A. Vladimirov (Jun 09)