WiFi Rogue AP: 5 Ways to Use ItBy CWNP On 07/28/2009 - 29 Comments
“The notion of a hard, crunchy exterior with a soft, chewy interior [Cheswick, 1990], only provides security if there is no way to get to the interior. Today, that may be unrealistic.” -- What Firewalls Cannot Do, Firewalls and Internet security
Rogue APs are Access Points (APs) that are deployed in an enterprise network without the consent of the authority owning the network. In certain cases, the intent behind a Rogue AP may be benign – for example, an employee who wants to access the network from his favorite corner of the office. While in other cases, a Rogue AP can be deployed with a malicious intent – say, by an attacker or his accomplice.
Due to the commoditization and the rapid decrease in the form factor of WiFi APs, sneaking Rogue APs into an enterprise may not be difficult. Due to the spillage of RF signals, a Rogue AP enables an attacker sitting outside the premises to access your enterprise wired network. After interacting with several network administrators, I have realized that they are familiar with Rogue APs but, may lack a complete picture of what all damages one can inflict via a Rogue AP. Hence, I thought of compiling this list of “uses” for a Rogue AP (yes, “use” from the perspective of an attacker or an unauthorized access).
Data Leakage One of the most basic uses of a Rogue AP is the wealth of information that it can provide about the enterprise network by leaking the enterprise data on the wireless side. Just by passive sniffing of the leaked data, an attacker can gain information about the users in the network and their communication. Packets may be leaking network related information such as host names & IP addresses (All of us know about tons of broadcast packets that network devices transmit). Or, worse, in some poorly configured networks, sensitive information such as user names, passwords, email and data communication may be leaked out.
Network Scans and Device Fingerprints Once the host names and IP addresses are obtained, an attacker can resort to free tools to scan the network (e.g., IP Scan) and build a list of potential target hosts to attack. Each of the selected hosts can be “fingerprinted” using tools such as Nessus to obtain the details about the devices in the network – operating system vulnerabilities, mis-configuration, open services etc. Fingerprinting of both the end hosts and network entities (e.g., switches, routers) can be extremely valuable for launching further attacks!
Enterprise Data Access With the information obtained from the item #1 above, an attacker may already have the data that he is looking for. If he is not (yet) lucky, specific attacks can be launched on the potential list of target hosts built in item #2 above to try to gain direct access to the data. Examples of such attacks include password guessing (how many of us retain the default user name/passwords on switches/routers?), launching remote dictionary attacks and obtaining remote shell access (say, using buffer overflows).
Free Internet Access This is really cool – your rogue AP can provide free Internet access to anybody in the vicinity of your premises (at your cost). There is no guarantee that it will not be used for illegitimate purposes. This can be used to by pass enterprise policies and access prohibited sites from your enterprise. Worse, this can be used to initiate implicating communication using your network resources – e.g., transmission of sensitive emails.
Denial of Service (DoS) Attack on your Enterprise network A Rogue AP can be potentially useful to bring down your enterprise network by launching a DoS attack. Example attacks include ARP Poisoning, IP Spoofing and any other network device specific DoS attacks. Tools are readily available on the Internet for launching such attacks.
Hence, any unattended Rogue AP is a serious threat to your network security. You should take appropriate measures to detect them and flush them out of your network.
If you are thinking that your wired side security mechanisms such as firewalls and Network Access Control (NAC) units can solve this problem reliably, I beg to differ (a topic for another post). Meanwhile, here is some food for thought – will you sleep at peace if one of the network cables of your enterprise is extended way outside of your premises? Well, a rogue AP is very similar!Tagged with: gopi