You can find wireless weaknesses and leave it at that -- an audit
of sorts. That may be all you care to do, but I recommend taking it
a step further to see what can actually be exploited. That's how it
works in the real world. Based on the weaknesses I've listed above,
here are some exploits you can carry out to see how far you can get
into your systems as a malicious attacker. Just be careful and know
that you can easily take your network down and expose sensitive
information by running these tests.
- Plug into the console port on an easily accessible access point
and see how far you can get into the device -- guessing the
password, reading the configuration, changing the configuration and
so on.
- Tap into wireless signals from the parking lot, floors above
and below and so on.
- Using a wireless network analyser, capture email, Web, FTP,
VoIP, and other communications to gather valuable authentication
credentials and sensitive data traveling through the air in clear
text.
- Exploit MAC address controls by determining a valid MAC address
with a wireless network analyser and then spoofing your local MAC
address using a tool such as
SMAC.
- Crack WEP and WPA keys using tools such as Aircrack and
Cowpatty that's part of the BackTrack Live CD.
- Connect to access points via telnet or HTTP to crack passwords,
change network configuration, add/modify access controls and
more.
- Attach to unsecured Windows shares or obtain remote
connectivity via null sessions, RPC, Remote Desktop, misconfigured
SQL Server, IIS and more.
- Exploit missing Windows patches using
Metasploit or similar tool.
- Pass through from the wireless network to the wired side and
see what else you can ping, scan and otherwise exploit.
- Attach to printers via their Web console or SNMP to glean
information, change the configuration, manage print jobs and
more.
- If all else fails and you still believe your 802.11b/g wireless
network is secure, there's a wireless exploit referred to as the
Queensland
Attack that'll likely bring it to its knees in a heartbeat. All
it takes is an old D-Link DWL-650 card and the retired Prism
chipset testing tool (search Google for PrismTestUtil322.exe) to
put the wireless card in continuous transmit mode. Go into this
test with your eyes wide open using caution and accepting personal
responsibility since likely will disrupt your wireless network and
any other one around you. On the positive side, this can be used to
demonstrate that, no matter what, wireless is indeed vulnerable and
show that you need a wireless IDS/IPS that help ward off or at
least fight back against this type of attack.
Don't Stop Now
This is only the beginning. Literally hundreds of ways exist to
exploit wireless networks and their associated devices. Once you've
figured out where your wireless network is weak, it's time to lock
things down. Suffice it to say, this is easily another tip by
itself, but there are a few things I can point you to. Simple
wireless networks running WPA2 with long and strong pre-shared keys
(20+ random characters) combined with Windows systems running the
Windows Firewall are going to be pretty darn secure. For larger
wireless configurations this won't be quite as convenient to manage
though. The best tried and true solution for enterprise wireless
security is a wireless IDS/IPS system from a company such as
AirDefense,
Network Chemistry,
or
AirTight
Networks. Also, check out some solutions I offered in this
recent tip,
Locking down laptops that connect to hotspots, and webcast,
Windows network vulnerability assessment: From A to Z.
Wireless attackers know that the odds are on their side and it's
a heck of a lot easier to attack wirelessly. They have the tools,
the know-how, and practically all the time in the world. They also
know that most people don't proactively monitor their critical
wired networks and applications -- much less their wireless
environment. Never forget that "no wireless" policies will
be broken and your users cannot simply be trusted to always do the
right thing.
So, test your wireless and test again. You never know what's
there for the taking.
Wireless network security
testing
Home:
Introduction
Step 1: Build your arsenal of tools
Step 2:
Search for weaknesses
Step 3: Dig in deep to
demonstrate the threat