Session #E9 Using Free Tools to Assess and Audit Your Wi...

Page MIS Training Institute© Lisa Phifer and Diana Kelley

© 2011 Lisa Phifer and Diana Kelley

Session #E9

Using Free Tools to Assess and Audit Your Wi-Fi Network

April 21, 201111:30am – 12:45pm

Lisa Phifer, Core Competence, IncDiana Kelley, SecurityCurve

[email protected]@securitycurve.com


AGENDA

Business Justification for Wi-Fi Vulnerability Assessment?

The Wi-Fi VA Lifecycle: – Plan > Scan > Validate > Remediate

Building a Wi-Fi VA Toolkit – Create your “kit”– Buy or download tools– Define and automate tasks

Lessons Learned



Business Justification for Wi-Fi VA

Situational Awareness– Understand where exposures exist– Create plan to address risks

Cost Savings– Remediate during other scheduled

maintenance Audit Readiness

– HIPAA• Protect PHI transmitted electronically over

open networks– PCI-DSS (including Wireless) Guidelines– DoD 8100.2

• 4.2 and 4.3 “No Fly” Zones


Wi-Fi VA In-House, Outsource or Both?

Outsource– 3rd party assessor

• Conducts on-site testing– External scanning company

• Conducts remote scans PROs

– Don’t need in-house expertise– No hardware/software costs for testing

CONs– Costly, esp. for on-site testing– NB: External scanning not a

replacement for on-site testing



Wi-Fi VA In-House, Outsource or Both?

In-house– Perform assessments using internal

resources PROs

– May cost less– Increased control over the process

CONs– Requires in-house expertise– Cost of tools/software can increase cost

Use best-of-both combination of approaches– In-house for repeated, routine checks – Outsource for periodic external validation


Strategy for Vulnerability Assessment

Identify assets and resources Determine relative values Enumerate and validate threats and

vulnerabilities Manage risk

– Accept– Mitigate or Eliminate– “Transfer”



Wi-Fi VA Lifecycle


Define the Course of Action

Scope– What systems will be covered– What diagnostics will be run?– What reports will be generated?

Background– RF floorplans (AP mounts, SSIDs,

coverage areas)– Network maps (subnets/VLANs,

controller/AP IP/MACs)– Intended device settings, security

policies



Define the Course of Action

Equipment– Required software and hardware

Personnel– Assign roles – Define responsibilities

Reporting and Response– What kinds of reports are required?– Who will review reports?– What is the response plan?


See What’s Out There

Scan for vulns & exposures– Throughout your airspace– From the wired network

What to Look For– Rogues– Data Leaks– Misconfigured Devices– Availability and Coverage Gaps

Demos in just a few minutes...



Trust but Verify

Reports from scanning tools– Review scans

• Eliminate false positives• Accepted/know exposures

– Confirm vulns and exposures• This is often a manual task

– Revise reports with verified information Prioritize

– Assess vulns and impacts– Generate priority lists


Responsive Action

Create remediation plan– Baseline from priority lists– Determine action

• Mitigate• Remediate• Accept• Defer or Transfer**

– Verify success• Did the mitigation/remediation take effect?• Is it working as expected?



Wi-Fi VA Lifecycle Example

*CDE=Cardholder Data Environment


Building a Wi-Fi VA Toolkit

An iterative 3-step process1. Create your “kit”2. Buy or download tools3. Define and automate tasks



1. Create your “kit”

Smartphones or Tablets– For initial surveys, quick tests

Laptops or Netbooks– For everything else

802.11 NIC(s)– Chipset matters!

Antennas– Omni + Directional

GPS receiver– For multi-site/outdoor VA


Choose operating system(s)

Tools now emerging for iOS, Android, Symbian– Some require jailbreak / root

Tools for Windows XP/Vista/7 are limited– Many require RFMON mode (e.g., AirPcap)

For broadest tool selection, choose Linux – (Dual) boot your favorite distro from HDD– Boot from Live CD / DVD / USB stick– Run VM image (not great choice for Wi-Fi)– Start here: http://www.securitydistro.com




Choose NIC(s)

Match NIC vendor/model/version to – Tool-supported chipsets and drivers

Some lists to consult...– Wireless NICs with Linux device drivers

• http://linuxwireless.org/en/users/Drivers– Windows MONMODE NIC = AirPcap Nx

• http://www.cacetech.com/products/airpcap.html– BackTrack4 compatible NICs

• http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers– Aircrack-ng compatible NICs

• http://www.aircrack-ng.org/doku.php?id=compatibility_drivers– MadWifi compatible NICs

• http://madwifi-project.org/wiki/Compatibility



2. Buy a commercial toolkit

http://www.immunityinc.com


2. Or roll your own...

� Start by downloading a free security distro– Create your own bootable USB– Add / update tools as needed– Remember: Purchase $ < Lifetime Use $

� In this rest of this preso, we discuss– Freely available Wi-Fi tools for– Common over-the-air VA tasks

� Should be combined with– Wired-side / upper-layer VA tools– Remote VA services (scanners, crackers)– Commercial tools justified by risk/effort



Tools to Listen for Surprises

Airgrab (MacOS)– http://www.airgrab.com

Cloud Stumbler (Java, Android)– http://meraki.com/tools/stumbler/

HandyWi (Symbian)– http://www.handywi.com/

Heatmapper (Win32 XP/Vista/7)– http://www.ekahau.com/

InSSIDer (Win64)– http://www.metageek.net/

Wifi Analyzer (Android)– http://a.farproc.com/wifi-analyzer

WiFiFoFum (iOS, WinMo, Android)– http://www.aspecto-software.com

Scan:� 2.4 GHz Band� 5 GHz Band� 20 & 40 MHz Ch

Looking for:� Rogue SSIDs� Evil Twin APs� Ad Hoc Clients� Co-Channel Use� RF Interference� Coverage Gaps

Many tools included with Linux security distros!


Windows Example - InSSIDer



Windows Example - Heatmapper


iOS Example - WiFiFoFum



Android Example – Wifi Analyzer


Tools to Spot Policy Violations

Kismet (Linux, OS X, Win with RFMON)– http://www.kismetwireless.net

Airodump-ng (Linux, Win with RFMON)– http://www.aircrack-ng.org

Android-Arts Packet Sniffer (Android)– http://sites.google.com/site/androidarts/

Pirni (iOS – jailbroken)– http://code.google.com/p/pirni-derv/

Wireshark (Linux, OS X, Win)– http://www.wireshark.org/

Monitor/Capture:� Auth Chs� Auth APs� Live Clients

Looking for non-compliant:� SSIDs� Rates, Opts� Modes� Vendors� Encryption � Authentication� QoS Priorities� Apps Used� Relationships� Locations



Linux Example – Airodump-ng

To scan all channels: airodump-ng mon0To capture on one: -channel # -bssid # -write pcap


Smartphone Examples

Pirni for iOS Sniffer for Android



Windows Example – Wireshark

Without RFMON:Captures only (decrypted) data frames --

broadcasts and packets addressed to tester


With RFMON:captures all

802.11 frames –Management

Control& Data

Analyze Beacons (above)WLAN Stats (at right)

Using AirPcap NX



Tools to Verify Network Security

Nmap, Zenmap– http://nmap.org/

LANScan (iOS)– http://www.nutectools.com/

Network Discovery (Android)– http://rorist.github.com/

Security Auditor's Research Assistant– http://www-arc.com/sara/

Nessus– http://www.nessus.org/nessus/

AP Hopper– http://aphopper.sourceforge.net/

Wicrawl– http://midnightresearch.com/

EAPeak– EAPeak-v0.0.4_BH_Europe.tar.bz2

Scan & assess:� APs� Controllers�Gateways� Switches

Looking for:� Reachable NWs� Exposed services� Default logins� Weak PWs� Missing patches� Config errors� Missing ACLs� Poor segmentation


iOS Example – LAN Scan



Android Example – Network Discovery


Python Example - EAPeak

To analyze traffic: eapeak –f pcap



Tools toFind Client Vulnerabilities

WiFiDEnum– http://labs.arubanetworks.com

WiFish Finder– http://www.airtightnetworks.com/

Karma– http://trailofbits.com/karma/– http://www.digininja.org/jasager/

Aircrack-ng suite– http://www.aircrack-ng.org

coWPAtty– http://www.willhackforsushi.com/

Thomas Roth’s CCS– http://stacksmashing.net/

cloud-cracking-suite/

Scan & assess:� Wi-Fi Clients

Looking for:� Buggy drivers� Open/Hotspot

probed SSIDs� “Allow Any” PNL� Weak PSKs

Plus the usual...� Missing PFWs� Missing VPNs� Open shares


Example - WiFiDEnum



Example – WiFish Finder

From defcon-17-md_sohail_ahmad-wi-fish.pdf


Example – Aircrack-ng on Windows



Example – Aircrack-ng on Linuxassisted by aireplay-ng





Example – Airdrop-ng

Repeatedly deauthenticatesall or some clients

(based on specified rules)to force reauthentications



Tools toValidate Wi-Fi Defenses

MDK3– http://homepages.tu-

darmstadt.de/~p_larbig/wlan/ Airpwn

– http://airpwn.sourceforge.net/ Wifizoo

– http://community.corest.com/~hochoa/ Metasploit (+ KARMA = Karmetasploit)

– http://www.metasploit.com/– http://www.offensive-security.com/

metasploit-unleashed/Karmetasploit_Configuration

Ubitack– http://code.google.com/p/ubitack/

Assess:� Controllers� WIPS

By sending:� Deauths� Floods� Exploits� Spoofed

sources� Injected

packets� Fuzzing


Example – MDK3



Example - Karmetasploit

Create AP that responds to all probesCreate tap interface for Karma to use


msfconsole –r karma.rcUses Metasploit to run fake servers forHTTP, HTTPS, POP, FTP, SMTP, etc



Karmetasploitbrowserexploit

KarmetasploitFTP, POPlogin caps


3. Define and automate tasks

VA tasks must be– Defined unambiguously– Performed repeatedly– With reliable results

Scripts can be your friend– Automate prerequisites– Run tests in the same order– Repeat tests to eliminate anomalies

and average variable results– Save results to named folders/files– Record context (timestamp, site ID)

Steps: Define > Validate > Automate > Refine



Frameworks can help tounderstand which toolsare good for which tasksand test sequencing


http://wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework_001.html



Lessons Learned

Tools are only part of the overall solution– Scanners help show where the

exposures/problems are– Still need to have a remediation plan to

ensure exposures are addressed

Free vs. Commercial tools and services– Free software + Cost of learning curve +

Time spent running manual tests– Commercial + lower personnel/time cost +

3rd party expertise


Lessons Learned

Aggregate findings– Normalize results from different tools– Eliminate overlaps

Keep trending information to– Spot changes over time– Resolve repeat false positives– Measure improvement

Session #E9 Using Free Tools to Assess and Audit Your Wi...

Documents

Transcript of Session #E9 Using Free Tools to Assess and Audit Your Wi...