Penetration Testing mailing list archives

Re: [PEN-TEST] Penetrating Wireless Networks

From: Ichinin <ichinin () swipnet se>
Date: Sun, 11 Mar 2001 14:15:40 +0100

Hi.

Frank Knobbe wrote:


I know the technologies are rather new compared to wired networks,
but does anyone have and pointers for penetration tests of wireless
networks, 802.11b in particular?


None that i've heard of that do not already exists for ethernets
that you could use.


In my opinion, with the advance of wireless networks, this will be a
very important part of pen tests. Has anyone developed any
methodologies for such tests? Are there any tools available that
assist in testing wireless networks?


I've written a portscanner for the RLAN capable PocketPC's (Mips)
and a bruteforce password guesser for the Symbol Access Points.
But those tools are hardly usefull for anything but toying around.

For example, one is able to run
tcpdump and other goodies on the wireless card just like on regular
NIC's.


Yes, it's just as a normal network.

However, in order to gain access to the WLAN, one must know
not only the WEP encryption key (if WEP is used), but also the ESS
(network identifier), preamble length, and channel number.


One idea you could try:
Place a AP with the ACCEPT Broadcast ESSID option turned on and a
sniffer and use the same network type (IP's etc) ESSID is not hard
to guess since alot of default installations exists out there i.e.
ESSID "101" (A leftover from the Spring protocol)

A note on WEP:

Do not use it. Since static keys are used, the risk of
someone mounting a statistical cryptanalytical attack on WEP
(as the WEP Faq may have pointed out) are big. Some of the
older AP's are still shipped with 40 bit security. Some of
the cryptokeys are world readable in the registry on the
systems that have RLAN Nics installed, which is a big mistake.
So, dont just look at the hardware (Ok, do some SNMP & default
password checking) you need to look at the software side as well.

Frequency hopping is security through obscurity, the hopping
sets are too predicable, i.e. the next frequency MUST be at least
3 frequencys up or down the list (subtract 7 frequencys out of
83). There are also only 3 Main sets of frequencys and IIRC 25
subsets of those, totalling ~75 frequency sequences.

Regards,
Glenn aka "Ichinin"

Current thread:

[PEN-TEST] Penetrating Wireless Networks Frank Knobbe (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Mark Seiden (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Max Gribov (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Robert Stonehouse (Mar 08)
  - Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks van der Kooij, Hugo (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks Weiss, Bill (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks Anton Rager (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks mirza sahib (Mar 11)
- Re: [PEN-TEST] Penetrating Wireless Networks Ichinin (Mar 11)
  - Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 12)
    - Re: [PEN-TEST] Penetrating Wireless Networks Marc Mosko (Mar 12)
    - Re: [PEN-TEST] Penetrating Wireless Networks Ichinin (Mar 13)
    - Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Penetrating Wireless Networks Frank Knobbe (Mar 08)
  - Re: [PEN-TEST] Penetrating Wireless Networks Marnix Petrarca (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Clarke, Matthew J (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Bourque Daniel (Mar 13)
- Re: [PEN-TEST] Penetrating Wireless Networks Matteo,Marc A. (Mar 13)
  - Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 14)