Sponsor Blog: The importance of role reversal in wireless securityBy CWNP On 06/13/2014
By: Greg Rayburn, System Design Engineer, Fluke Networks
When people talk about wireless or Wifi security, the conversation usually involves the use of a WIPS or WIDS system, overlay or integrated and that's usually as far as the conversation goes. Although using a Wireless IDS is becoming a requirement in most environments, this is only part of the story to really understanding your wireless security posture. The second piece of the puzzle involves a bit of role reversal on the part of the wireless administrator. Instead of trying to monitor and protect the wireless environment from malicious users, they will now be the ones wearing the "Blackhat".
Performing a penetration test on your own wireless network not only identifies any potential holes you may have that you were not aware of, you are also validating your WIDS/WIPS system and your incident response plan.
What's involved with performing your own penetration test? I like to break the scope into 4 main areas:
• Observe – The reconnaissance phase
• Analyze - Develop your plan
• Execute – Execute your plan
• Plan – Develop an incident response plan
Observe "Reconnaissance or a walk-around"
The first step in your wireless threat assessment is the reconnaissance phase. This means you need to get outside walk around the building premises.
Main Points for the reconnaissance phase:
• See how far the wireless signal goes, keep notes
• Scan all channels
• What type of security is being used
• What SSID are clients probing for
• Physical security outside (including security cameras, patrols)
• How easy is it to get inside the building
• How easy is it to plant Rogue AP's (open offices, active Ethernet ports)
Analyze your results from the reconnaissance
What type of security are you dealing with?
• WEP – easily cracked in less than 5 minutes
• No Security – Honeypots, Phishing, MitM
• WPA/WPA2-PSK – capturing 4-way handshake, offline cracking, WPS attacks
• WPA2-E (802.1x) – Honeypot with fake radius server.
During your information-gathering phase, if you detect a large amount of smart devices (wireless phones and tablets), you might consider targeting hotspot connections using Karma and a fake AP. Remember to target different times during the day, you will get people coming into work, going to lunch and leaving for home right from the parking lot.
• Nexus 7 tablet running Pwnieexpress pwn pad or Kali Pwn
• Various laptops to run Kali Linux or your preferred Linux distribution natively or through a virtual machine.
• Drop boxes
o Raspberry Pi (running Kali Linux or PwnPi)
o Wifi Pineapple Mark V
• High Gain antennas both directional and Omni
Wireless adapters: (you can never have too many wireless adapters on hand)
• TP-Link WN722N (Atheros AR9271)
• Alfa AWUS036nha (Atheros AR9271)
• Alfa AWUS036NH (Ralink RT3070)
• Alfa AWUS036H (RTL8187L)
** Why so many wireless adapters? Well as I mentioned above, you can never have too many wireless adapters. Also from my experience, some chipsets give better results for some tools. If one card isn't working well for me, I can easily switch it out for another one.
Most of the tools you will need are already pre-installed on the Kali Linux distribution. Some notable standouts (aircrack-ng, mdk3, Reaver, Wifite, Hostapd + Karma, FreeRadius-WPE)
When setting up your equipment to be used in the execution phase, make sure you do this offsite. You wouldn't want the WIPS/WIDS system identifying your tools days before you actually execute the pen-test.
Execute a plan based on your Analysis
Basic Plan: (areas to include depending on the environment)
• Attacking Wireless Security
o WPA/WPA2-PSK Part 2 – WPS enabled?
• Denial of Service
o Deauthentication or Disassociation attacks
o Virtual Carrier style attacks
• Rogue Devices and Honeypot APs
o Dropboxes (placed inside and outside the target building)
o Using the Dropbox as a remote connection to launch attacks
o Wireless fuzzing is the process of sending malformed management or control frames
o Examples of Fuzzing attacks includes generating Beacons with greater than 32 byte SSID string, changing the Extended supported data rates with invalid rates
• Misconfigured Devices
o This is really a check for Access Points that might have been misconfigured
• Ad-Hoc Network connections
o Ad-Hoc networks are often overlooked as an entry point into the network. Devices like laptops, phones and even printers have the ability to create an Ad-Hoc connection
Plan/Develop processes to react to wireless intrusion attempts
• Identify your team members. These are the people that will lead the day-to-day operations for monitoring your WIPS/WIDS system and reacting or deploying personnel to contain the threat.
• How are the alerts getting to your wireless security personnel?
o All Wireless IDS/IPS systems have consoles to view the alerts as they come in. You can also setup external notifications such that your WIPS system can forward the alert to an email address or send an SNMP trap or Syslog. The key point here is to utilize these external notification mechanisms such as SIEM's to help manage the alarms and notify your team.
• Document the process flow from when you get the alert to what's the reaction. There should be a definitive workflow for how to handle any type of wireless intrusion attempt. Make sure you know what this is and your team follows this.
This is a pretty basic Wireless Security Assessment plan, but it should be enough to get you started with. Testing out your wireless security is always a good activity to perform on a regular basis. In some cases you might not have the budget to devote a full-blown team to this assignment, but the steps I present here should provide a good foundation to build upon.