Penetration Testing: RE: Wireless Pent-Test

["Keith T. Morgan" <keith.morgan () terradon com>]

> -----Original Message-----
> From: Cesar Diaz [mailto:cesadiz () yahoo com]
> Sent: Saturday, October 04, 2003 9:16 PM
> To: pen-test () securityfocus com
> Subject: Wireless Pent-Test
>
>
>
>
> Remote users in my company have been begging for permission 
> to use wireless NICs in their laptops for awhile now.  When 
> they are not on the road, most of them work from home and 
> would like to be able to use their laptops anywhere in their house.
Yep.  We're seeing this too.  One of the things our policies state is that any connected node or nodes (this meaning 
workstations at the road-warrior's house) are subject to corporate security policies.  This means we get to audit for 
security, check for AV, monitor for acceptable business use, etc...  They're usually willing to deal with that.

> Due to our industry and business requierements, we have to 
> document every process and method used to access our data and 
> prove that we've tested the security of our data.In order to 
> let the users go wireless I have to show that I've tested the 
> security on a wireless network.
>
>   Our idea is to let the users buy wireless routers to 
> connect to their cable/dsl routers and then wireless PCMCIA 
> or USB cards on the laptop.  We would implement 128 bit WEP 
> security to prevent unauthorized access.  I realize that WEP 
> does not provide for stringent security, but we feel that by 
> forcing users to change their WEP key regularly we can meet 
> our requierements.
Are you going to remotely manage the WAPs?  Plan on logging into them periodically to force WEP key changes?  Then you 
have to notify them that it's changed, and provide them with a new key.  IMO, this sounds like an undue administrative 
burden.

> My question is, how do I test WEP and document wether or not 
> it's secure?  Any way to sniff for WEP keys, or to brute 
> force attack a WEP session?  If there is, how hard is it to 
> set up?  How much of a risk of a wireless connection with WEP 
> enabled to be comprimised other than a dedicated, brute force attack?
Well, one way might be to sit outside thier house using airsnort or another WEP cracking utility.  Given enough time 
and a few big file transfers by your user, there's a pretty good chance that the WEP key will be compromised.  If your 
users will be handling, or could get access to fairly sensitive data, I'd have to rule out WEP except in conjunction 
with a pure IPSEC implementation.  In that case, so what if the WEP key is compromised?   

> Any information is greatly appreciated.
Have you looked at Wireless Protected Access (WPA)?  It's an emerging "standard" that looks pretty solid so far.

> Cesar
>
> --------------------------------------------------------------
> -------------
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> --------------------------------------------------------------
> --------------
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************



---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------