Penetration Testing mailing list archives
RE-cap: Tools for Detecting Wireless APs - from the wire side.
From: Isherwood Jeff C Contr AFRL/IFOSS <Jeffrey.Isherwood () rl af mil>
Date: Tue, 11 Jun 2002 15:48:55 -0000
I've been getting some fantastic responses, but they all seem to be jelling into this: None of the "wireside" tools is mature or robust enough yet to be of complete value. They can't give anyone a good enough sense of completeness, that they can cover the bases and angles we need covered. I have always used a multi-layered, multi-angled approach to all security (it comes with the background, I'm ex-military with many years of service after that as a private engineer for the DoD.) Weather it be IDS, Vuln-assesment, Anti-Virus, System/network hardening or Penetration testing... Any security person that relies completely on one solution, or vendor is just spinning wheels, spending money and waiting for a break in. I WarDrive with several different systems, I WarDial with 2 diff rigs as well, and have several layers of AV at different traffic points... The theory being "What one vendor can't catch, hopefully his competitor will" Nmap can spot over 600 different fingerprints... But like the blood and guts forensic fingerprinters, there has to be enough of a print to base your guessing on. I have a few Cisco APs set up, and I've talked it over with Fyodor - Nmap can find these Aps... But the guy that set them up, knows what he's doing, and their profile is so low-key that nmap cannot ID them. Nor can xprobe... APTools can spot some of them, if I aim it at the IP and tell it to look for an Aironet. The program isn't mature enough yet for me to use on an Enterprise/campus level. I've proven to co-workers that even War Driving isn't good enough, because dependant on the building materials, and AP location, you might miss one or two... And it only takes one. Here's a summation: Firewalls, firewalls, firewalls I'm writing some scripts to work a "regular nmap & xprobe scan" into a cron... Doing the same with the ARP table / MAC Address IDs for comparison... VPN, VPS, VPN... Keeping an eye on APTools and other possible scanners for future use... Using SNMP capable scanners to watch for "Default configured" Aps... Using Vuln Scanners to look for "Vulnerable" devices that I didn't put out there... I'm inviting the company Air Defense to come show us what their product can do... Did I mention Firewalls and VPns? WarDriving... In case none of the above works... (at least it's a way to get out of the office and get some sunshine right?) I'll never get all of these things straighten out in time for my paper (due in two weeks) but at least I know where to go, and what to cover (high over view) as far as topics for the paper go. All in all, a lot of work. There are several classes that rogue Aps can fall into: Malicious Those that do NOT want to be found or secured Well intentioned Those that don't understand the need to be secured Clueless You can find these and secure them? The last two are the most dangerous, Bob down in marketing who just wants to work out at the picnic table on nice days, or Doris in accounting who likes to take her laptop down to the conference room and work. Thanks for all the input from everyone... I'll keep my eyes and ears open, and send an update if anything new does actually pop up. When I'm done with the paper (sorry I can't post it) I'll post some data on the tools available (look at http://www.airmagnet.com and http://www.bvsystems.com/ yellowjacket in the meantime...) _____ Jeffrey.Isherwood () rl af mil - Senior Security Engineer-UNIX Sys AFRL\IFOSS "The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable..." - Sun-Tzu, The Art of War ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE-cap: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 11)