Penetration Testing mailing list archives
Re: Microwave/RF point to point link risk assessment
From: Mike Hale <eyeronic.design () gmail com>
Date: Sun, 8 Aug 2010 16:32:47 -0700
I can address the VSAT portion of this question, though I'm assuming the same issues are present on other RF-based links. VSAT traffic, by default, is not encrypted. It is simply modulated RF traffic sent over the air. The same vulnerabilities found in unencrypted WiFi are present in standard VSAT links. There is a hitch, however. There are a plethora of ways to modulate and encapsulate IP traffic over RF. I've seen VSAT systems make use of a lot of different ones...it's really determined by the link budget the satellite engineers calculate at the time the link is provisioned. In order to eavesdrop on a connection, you need to figure out bitrate, modulation, frequency, error correction type, and inversion, among other things. Frequency is easily found by using a spectrum analyzer. The other values need to be 'brute forced', and that can be a pain in the ass. To the best of my knowledge, no device exists that can do all these steps; however, it is *trivial*, from a techincal standpoint, to create one. If you want to proof of concept this to your customer, simply grab a modem (or receiver) of the type they use in the field, configure the correct settings, and grab any traffic that is downlinked to their end-points. Depending on the footprint and spot-beams of the satellite, you can do the same for the downlink to their teleport, and thereby eavesdrop on both sides of the transmission; otherwise, you'll be limited to only one path. On Sun, Aug 8, 2010 at 6:30 AM, Info Sec <infoseccon () gawab com> wrote:
Hi All, We are an Information Security consulting firm, currently doing Risk assessment for our client on various wireless technologies like WiMAX, CDMA, EVDO, VSAT, GPRS, point to point Microwave and RF. We are looking for equipment/software tool useful for testing communication security over Microwave, VSAT, and RF links. Point to point communication, be it wired or wireless can be protected using IPSec VPN tunnel but the client is more interested in knowing the damage or business impact possible in absence of VPN tunnel. Internet search results mainly in Wireless testing for Wi-Fi only; not for point to point Microwave, RF, or VSAT link. For Wi-Fi, the assessment can be done using a laptop with Wi-Fi card, software tool, and an access point, without any sophisticated equipment. I wonder what equipment / software tool we need to have for point to point microwave link assessment. We are looking for possible methods that an adversary can use to steal the data from the wireless link or disrupt the normal operation. We need to demonstrate how much penetration or damage is viable over the wireless link. We figured out the following attacks are possible: a) Traffic analysis Attack b) Eavesdropping c) Denial-of-service Attack d) Black-hole Attack e) Node Deprivation Attack f) Rogue Access point/Base Station detection g) Interference, Signal Jamming attack If you have idea about any software tool / equipment that can help us analyze the risk over wireless link, please do suggest. Feel free to share if you have any thought / experience / methodology / reference in this regard. Appreciate your reply. Thanks a bunch. P.S.: Posting this message to Wireless Security and Penetration Testing both lists. Regards, Steve ----------------------------------------------------------------------------------------------------------------------- Send big files for free. Simple steps. No registration. Visit now http://www.nawelny.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Microwave/RF point to point link risk assessment Info Sec (Aug 08)
- Re: Microwave/RF point to point link risk assessment Mike Hale (Aug 08)
- Re: Microwave/RF point to point link risk assessment Joshua Wright (Aug 12)