Re: Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification

["kevin horvath" <kevin.horvath () gmail com>]

Rich,

Glad to see you are being proactive and trying to test your own
environment before someone else does.  Well you are off to a pretty
good start using PEAP (most lilely PEAP-EAP-MSCHAPv2) if this is just
for corporate access into a DMZ.  If it is anything more secure or if
you dont employ internal filtering (which is bad) then you will need
to employ client certificates (preferably on an external token) in
addition to user/pass.  Lets assume that this is just for corporate
access, then you first need to make sure all wireless clients access
thier own dmz off of a firewall after authentication.  Once
segregation has been set up you will also need to make sure your
clients are secure, in particular any windows wireless clients.
Windows wireless clients should be locked down using an AD GPO (802.11
policy).  This is used for ensuring wireless client aren't probing for
anything other than your corporate SSIDs.  Otherwirse there are
methods, such as one i use on pent test to get clients to
automatically connect to my rogue ap.  Then I hack them and take thier
sam, client certs, and any other wpa or wep keys for any other
networks that are in their preffered network list.
In addition to this there are exploitable client drivers such as the
broadcom that can be used to either dos or in theory get a command
prompt on.  So basically just ensure your clients are using any of
these dirvers and verify whatever wireless cards they are using are
fully patched or using up to date firmware.
One final note never use wireless for critical systems.  I have seen
large institutes put life support or medicene dispensing systems on
the wireless network which talk back to a server on the lan.  This is
very bad since any wireless network can be completely dos'd without
authenticating hence why you should be more concerned with control
packets vs management packets as you indicated below.  Since you
really cant do anything against an attack like this then you need to
continuously watch you wireless ids logs.

Kevin



On Tue, May 20, 2008 at 5:33 PM,  <infoget () cnrconsulting bz> wrote:
> I was wondering if someone suggest areas for me to research what I might do to see how vulnerable my wireless 
> deployment might be.  Basic environment is:
>
>
> Cisco SWAN with WLSM... guest access vlan and employee vlan... for the later we use WPAv1 with EAP/PEAP,etc.  We use 
> validation against Radius and we force the client to verify the digital certificate.
>
>
> The only areas I think I might be vulnerable would be the management frames and the client driver.
>
>
> But I would like anyones recommendation on how I can test my solution to make sure it is secure.
>
>
> Thank you...Rich
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------