Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Penetrating Wireless Networks

Re: [PEN-TEST] Penetrating Wireless Networks

From: Ichinin <ichinin_at_swipnet.se>
Date: Sun, 11 Mar 2001 14:15:40 +0100

Hi.

Frank Knobbe wrote:
>
> I know the technologies are rather new compared to wired networks,
> but does anyone have and pointers for penetration tests of wireless
> networks, 802.11b in particular?

None that i've heard of that do not already exists for ethernets
that you could use.
>
> In my opinion, with the advance of wireless networks, this will be a
> very important part of pen tests. Has anyone developed any
> methodologies for such tests? Are there any tools available that
> assist in testing wireless networks?

I've written a portscanner for the RLAN capable PocketPC's (Mips)
and a bruteforce password guesser for the Symbol Access Points.
But those tools are hardly usefull for anything but toying around.

> For example, one is able to run
> tcpdump and other goodies on the wireless card just like on regular
> NIC's.

Yes, it's just as a normal network.

> However, in order to gain access to the WLAN, one must know
> not only the WEP encryption key (if WEP is used), but also the ESS
> (network identifier), preamble length, and channel number.

One idea you could try:
Place a AP with the ACCEPT Broadcast ESSID option turned on and a
sniffer and use the same network type (IP's etc) ESSID is not hard
to guess since alot of default installations exists out there i.e.
ESSID "101" (A leftover from the Spring protocol)

A note on WEP:

Do not use it. Since static keys are used, the risk of
someone mounting a statistical cryptanalytical attack on WEP
(as the WEP Faq may have pointed out) are big. Some of the
older AP's are still shipped with 40 bit security. Some of
the cryptokeys are world readable in the registry on the
systems that have RLAN Nics installed, which is a big mistake.
So, dont just look at the hardware (Ok, do some SNMP & default
password checking) you need to look at the software side as well.

Frequency hopping is security through obscurity, the hopping
sets are too predicable, i.e. the next frequency MUST be at least
3 frequencys up or down the list (subtract 7 frequencys out of
83). There are also only 3 Main sets of frequencys and IIRC 25
subsets of those, totalling ~75 frequency sequences.

Regards,
Glenn aka "Ichinin"
Received on Mar 11 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos