I always say you've got to have the right tools to do a good job of looking for and exploiting security holes. This is especially true for wireless networks where tools (and the proper hardware configuration to run them on) are harder to come by than run-of-the-mill Windows security tools. Acquiring the right tools is the first and most important step in testing your wireless security.
For starters, you need good wireless cards -- not one but two, maybe three. The reason is that different tools require -- or at least work better with -- specific wireless chipsets. I've had good luck with the old Orinoco Gold card as well as the Netgear WAG511v2. Refer to your tool documentation for the best fit. Another good thing to look for is a card that has an external antenna connector for hooking up a Cantenna or similar wireless signal booster device. This can make all the difference in the world when rooting out low-powered or hidden wireless devices.
As far as wireless security testing software goes, I recommend the following:
- NetStumbler quickly identifies basic wireless devices that will respond to an "anybody out there?" request.
- Kismet roots out wireless devices that have their SSIDs hidden or otherwise won't respond to basic NetStumbler probes. If you're not into Linux or don't want to spend hours if not days setting up your wireless card drives in Linux, you can run Kismet directly from the BackTrack Live CD.
- Aircrack is for WEP and WPA pre-shared key cracking.
- FakeAP on the BackTrack Live CD mimics a legitimate access point and sets up an evil twin attack to see how your users carelessly connect to any old access point.
- AiroPeek wireless network analyzer to quickly and easily capture packets, look for top talkers, discover rogue systems, and more
- AirMagnet Laptop Analyzer, among many other things, has a nifty signal strength meter for determining how close or far away a wireless device is when you're walking around trying to locate it.
- Network Chemistry RFprotect Mobile is a full-featured and simple-to-use option to capture packets, locate legitimate and rogue devices, monitor signal strength and more.
- CommView WiFi is for low-cost packet capturing, packet generation and more.
Don't overlook the fact that wireless security testing doesn't just involve access points, laptops and the 802.11 protocol. Wireless is merely an entry point into your network -- not necessarily a standalone entity to test. Once you're able to obtain wireless network connectivity via MAC address spoofing, WEP/WPA cracking or whatever, you still have a ways to go poking around your Windows environment and testing Web applications, databases and so on. For a list of recommended tools, check out the Top 15 security tools for testing Windows.
That said, know that you're not going to find all wireless security vulnerabilities with tools alone. Knowledge of how wireless networks work combined with general networking, OS and security experience are all equally important.
Wireless network security testing
Step 1: Build your arsenal of tools
Step 2: Search for weaknesses
Step 3: Dig in deep to demonstrate the threat
ABOUT THE AUTHOR: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at email@example.com..
Copyright 2006 TechTarget