Wireless Penetration Testing – Who First?

Despite the wealth of benefits that wireless computing provides, it remains the most vulnerable part of your network, and the bad guys are all too aware of it. Many attacks that are highly difficult – if not impossible – on wired networks are fair game on wireless networks. Wireless removes one of your primary defenses, the physical barrier, between your network and those who wish to breach it. Let’s assume your network is a safe. It has a combination which limits access to only those who know it, but when it’s in a locked facility, hidden behind a painting, you have to know it’s there and gain access to the locked facility before you can even begin to attempt cracking the safe. Now take that safe and mount it on an outside wall for the world to see, and anyone with enough time and the right tools will gain access to the easy target. Wired networks are contained to the physical media used for transmission – wires and fiber. Wireless is broadcast so anyone within reach of the signal can see you have a network, and can easily work on gaining access. The fact that most wireless signals extend far beyond the building walls, makes it an even easier entry point for outsiders.

In the end, even with strong security measures in place, skilled wireless hackers can and will find vulnerabilities in your security. While that may seem like a rather depressing reality, you can quantify and minimize the security risks to your wireless network by thinking and acting like those who want to compromise your network. The first place to start is with Wireless Penetration Testing. Below we will give an introduction into how this practice works and how you can use it to stay one step ahead of hackers.

What is Wireless Penetration Testing?
More than one specific thing, wireless penetration testing, or pen testing, is a process, one that has been well documented and in many cases well automated. Some have even referred to it as a cottage industry, spawning popular books, tools, and services. For our purposes, it is the methods that hackers use to try to breach your wireless network, so it should also become the methods you use to test your network. By doing so you’ll understand your vulnerabilities in advance, allowing you to address areas that are economically feasible for your particular situation. Remember, any issue in network security is essentially an arms race – you need to decide how best to spend your resources to obtain the maximum level of security that you can afford, and be aware of your remaining areas of vulnerability.

Wireless penetration testing can take several forms, including eavesdropping, malicious attacks designed to prevent legitimate users from accessing the network, and attempts to actually gain access to the overall corporate network via wireless vulnerabilities. Let’s take a look at each one in a bit more detail.

Given the open nature of wireless, eavesdropping is a fact of life. Anyone with a computer with a wireless adapter, and the right software, can simply sit within range of a specific AP or client and receive each and every network packet, thereby reconstructing the entire network session for either the specific client, or the overall communication from the AP. And you won’t even know this is going on. Ironically, the software used to do this is also a very effective tool in overall wireless network analysis – a packet sniffer. So we mustn’t throw out the baby with the bath water. A packet sniffer (like OmniPeek from WildPackets) is indispensible for any network engineer responsible for a wireless network. The idea is to understand what can be captured with a packet sniffer from your network before a bad guy does, including things like how far away does your network remain vulnerable and what users (and applications) are most vulnerable. Using any level of encryption helps here, as only the packet headers of encrypted data will be accessible via sniffing, assuming your encryption keys have not been cracked (we’ll cover this shortly).

A man-in-the-middle attack is a more sophisticated form of eavesdropping, where the perpetrator actually “participates” in the network by taking receipt of a data stream and changing its contents before forwarding it on. This could be to redirect traffic to an unauthorized host, or even to manipulate data within a communication, such as a credit card transaction. As with eavesdropping, wireless data encryption of the highest practical form is the best defense.

Disruption Attacks
A Denial of Service (DoS) attack, which is much easier to mount on a wireless network than on a wired network, is the most basic form of disruption attack. Since the physical layer for wireless is the air, and the spectrum that is used is shared by other devices, one simple yet effective DoS attack is simply to flood the spectrum with noise and illegitimate traffic. Though illegal, this is quite hard to trace, and even harder to prove. There’s no real need to perform DoS testing of your own, especially at layer one, because it’s just plain easy to do and there’s very little to do to counteract it. The best approach is to make sure you have tools in place, and know how to use them, that can monitor layer one for interference, possibly even identifying the type, as well as monitor layer two and above to alert you when DoS activity is detected on the network.

Unauthorized Network Access
Although eavesdropping and disruption attacks are certainly serious, they also tend to be localized, since WLAN signals only travel for several hundred feet. These attacks are most effective when a large number of users are confined to a relatively small space, like a conference center or a stadium. Unauthorized network access, though somewhat harder to accomplish, has a much greater reach if successful as it allows the hacker to gain access to the network overall, eliminating the “localized” effect of WLAN signals. Unauthorized WLAN access, assuming your WLAN is not already open to all users (which should never the case), requires that either (a) the perpetrator know, or somehow guess, the key used for network access (and subsequently the seed for data encryption) or (b) the perpetrator employs specific software that monitors overall WLAN traffic, eventually “cracking” the network key either through brute force efforts or by watching for certain weaknesses known in WLAN protection schemes, like WEP (wired equivalent privacy). Once the key is cracked, the perpetrator is on your network, with all the privileges allowed to your wireless users. The best protection against unauthorized access is first and foremost to use the most powerful WLAN protection scheme possible, WPA2 Enterprise. No other scheme is really suitable for corporate networks. And if you feel that’s not enough, place your wireless network in your DMZ and require that wireless users only access corporate data over a VPN.

Wireless Penetration Testing – You First!
By understanding the techniques a hacker will use against your WLAN, you’re armed with the information you need to get there before him or her and understand and address, where feasible, your vulnerabilities. Keep in mind that there are many automated software programs in the open source “hacker community” for penetration testing. Don’t be afraid to download them yourself and point them squarely at your own network, before someone else does. And while you’re doing that, make sure you’re also sniffing your own network packets at the same time, as this will give you a clear picture of how your network is reacting during each simulated attack.

The bottom line is that when it comes to network security, ignorance certainly isn’t bliss, and it’s safe to assume that there’s probably someone trying to find cracks in your wireless defenses this very minute.

Penetration testing is one of the best ways to accurately evaluate your wireless network’s current level of risk. Seeing in real-time how and where an attacker can access your system allows network administrators to address vulnerabilities before someone else finds them.

One thought on “Wireless Penetration Testing – Who First?

Leave a Reply