You can find wireless weaknesses and leave it at that -- an audit of sorts. That may be all you care to do, but I recommend taking it a step further to see what can actually be exploited. That's how it works in the real world. Based on the weaknesses I've listed above, here are some exploits you can carry out to see how far you can get into your systems as a malicious attacker. Just be careful and know that you can easily take your network down and expose sensitive information by running these tests.
- Plug into the console port on an easily accessible access point and see how far you can get into the device -- guessing the password, reading the configuration, changing the configuration and so on.
- Tap into wireless signals from the parking lot, floors above and below and so on.
- Using a wireless network analyzer, capture email, Web, FTP, VoIP, and other communications to gather valuable authentication credentials and sensitive data traveling through the air in clear text.
- Exploit MAC address controls by determining a valid MAC address with a wireless network analyzer and then spoofing your local MAC address using a tool such as SMAC.
- Crack WEP and WPA keys using tools such as Aircrack and Cowpatty that's part of the BackTrack Live CD.
- Connect to access points via telnet or HTTP to crack passwords, change network configuration, add/modify access controls and more.
- Attach to unsecured Windows shares or obtain remote connectivity via null sessions, RPC, Remote Desktop, misconfigured SQL Server, IIS and more.
- Exploit missing Windows patches using Metasploit or similar tool.
- Pass through from the wireless network to the wired side and see what else you can ping, scan and otherwise exploit.
- Attach to printers via their Web console or SNMP to glean information, change the configuration, manage print jobs and more.
- If all else fails and you still believe your 802.11b/g wireless network is secure, there's a wireless exploit referred to as the Queensland Attack that'll likely bring it to its knees in a heartbeat. All it takes is an old D-Link DWL-650 card and the retired Prism chipset testing tool (search Google for PrismTestUtil322.exe) to put the wireless card in continuous transmit mode. Go into this test with your eyes wide open using caution and accepting personal responsibility since likely will disrupt your wireless network and any other one around you. On the positive side, this can be used to demonstrate that, no matter what, wireless is indeed vulnerable and show that you need a wireless IDS/IPS that help ward off or at least fight back against this type of attack.
Don't Stop Now
This is only the beginning. Literally hundreds of ways exist to exploit wireless networks and their associated devices. Once you've figured out where your wireless network is weak, it's time to lock things down. Suffice it to say, this is easily another tip by itself, but there are a few things I can point you to. Simple wireless networks running WPA2 with long and strong pre-shared keys (20+ random characters) combined with Windows systems running the Windows Firewall are going to be pretty darn secure. For larger wireless configurations this won't be quite as convenient to manage though. The best tried and true solution for enterprise wireless security is a wireless IDS/IPS system from a company such as AirDefense, Network Chemistry, or AirTight Networks. Also, check out some solutions I offered in this recent tip, Locking down laptops that connect to hotspots, and webcast, Windows network vulnerability assessment: From A to Z.
Wireless attackers know that the odds are on their side and it's a heck of a lot easier to attack wirelessly. They have the tools, the know-how, and practically all the time in the world. They also know that most people don't proactively monitor their critical wired networks and applications -- much less their wireless environment. Never forget that "no wireless" policies will be broken and your users cannot simply be trusted to always do the right thing.
So, test your wireless and test again. You never know what's there for the taking.
Wireless network security testing
Step 1: Build your arsenal of tools
Step 2: Search for weaknesses
Step 3: Dig in deep to demonstrate the threat
ABOUT THE AUTHOR: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org..
Copyright 2006 TechTarget