Penetration Testing mailing list archives
Re: Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Wed, 21 May 2008 16:29:21 -0400
Rich, Glad to see you are being proactive and trying to test your own environment before someone else does. Well you are off to a pretty good start using PEAP (most lilely PEAP-EAP-MSCHAPv2) if this is just for corporate access into a DMZ. If it is anything more secure or if you dont employ internal filtering (which is bad) then you will need to employ client certificates (preferably on an external token) in addition to user/pass. Lets assume that this is just for corporate access, then you first need to make sure all wireless clients access thier own dmz off of a firewall after authentication. Once segregation has been set up you will also need to make sure your clients are secure, in particular any windows wireless clients. Windows wireless clients should be locked down using an AD GPO (802.11 policy). This is used for ensuring wireless client aren't probing for anything other than your corporate SSIDs. Otherwirse there are methods, such as one i use on pent test to get clients to automatically connect to my rogue ap. Then I hack them and take thier sam, client certs, and any other wpa or wep keys for any other networks that are in their preffered network list. In addition to this there are exploitable client drivers such as the broadcom that can be used to either dos or in theory get a command prompt on. So basically just ensure your clients are using any of these dirvers and verify whatever wireless cards they are using are fully patched or using up to date firmware. One final note never use wireless for critical systems. I have seen large institutes put life support or medicene dispensing systems on the wireless network which talk back to a server on the lan. This is very bad since any wireless network can be completely dos'd without authenticating hence why you should be more concerned with control packets vs management packets as you indicated below. Since you really cant do anything against an attack like this then you need to continuously watch you wireless ids logs. Kevin On Tue, May 20, 2008 at 5:33 PM, <infoget () cnrconsulting bz> wrote:
I was wondering if someone suggest areas for me to research what I might do to see how vulnerable my wireless deployment might be. Basic environment is: Cisco SWAN with WLSM... guest access vlan and employee vlan... for the later we use WPAv1 with EAP/PEAP,etc. We use validation against Radius and we force the client to verify the digital certificate. The only areas I think I might be vulnerable would be the management frames and the client driver. But I would like anyones recommendation on how I can test my solution to make sure it is secure. Thank you...Rich ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification infoget (May 21)
- Re: Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification kevin horvath (May 22)
- Re: Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification DaKahuna (May 22)