RE: Wireless Pent-Test

• Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Web application security testing pricing"
• Maybe in reply to: Cesar Diaz: "Wireless Pent-Test"
• Next in thread: Matthew Wagenknecht: "RE: Wireless Pent-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 6 Oct 2003 08:31:36 -0700
To: "Cesar Diaz" <cesadiz@yahoo.com>, <pen-test@securityfocus.com>

Testing WEP is pointless, it has been done ad nausea and always proven
to be trivial. There are countless free tools that allow you to do it.
If this is for home use have them turn WEP and MAC Address filtering on.
This isn't necessarily going to make them all that secure, as it takes
about a gig of sniffed traffic to crack their WEP and anyone can spoof a
MAC address to gain access... This does set them apart from their other
neighbors and frankly the tasks of cracking the WEP And spoofing the MAC
may cause the wood-be hacker to just go to the next house. E.x. I am in
a neighborhood with a WAP in every other house on my block... I am the
only one running WEP/MAC filtering... If it were me sitting in a car I
would just connect to the other houses and get what I want and go.

You need to secure access to your protected network. So your VPN is
still the key here for your own security, and practices. If you have a
challenged authentication VPN that uses strong encryption you should be
fine. No one is going to crack that, and if it is the only way they can
connect to the office from home via their cable modems then you are
golden. How they access their cable modems is really their issue. You
can "require" them to run a home firewall and set regulations on how
they setup their WAPs, but frankly how are you going to audit that?
"yes officer, I am sitting here in front of Mr. Smith's house collecting
his wireless network packets to make sure it is 128 bit encryption... I
really need to stay here for a few more hours." ;) Then what, drive
all around your city doing it to every employee's house? You could do
something fun and setup the WAP at your office and then issue them to
the employees... But this still isn't going to guarantee they don't stop
by their favorite electronics store and buy one of their own for less
then $100. Just make sure all communication with your office is
encrypted. E.g. either it all goes through the VPN or SSL on webmail,
SSH vs. Telnet, SCP vs. FTP, SSL POP and IMAP, etc when using extranet
devices. These things will prevent your employee from having their data
sniffed and passwords found on a public network. Remember they may
start using the local Hot Spots once you let them have WiFi cards...
There are all kinds of people lurking there running sniffers collecting
what information they can.

FYI A WAP is not a router... It is a bridge and a HUB. (As it is
basically two separate network devices.) You bridge the wired network
to the wireless network, and the wireless network is a
repeated/broadcast system like a HUB. (Thus allowing you to sniff all
the traffic.)

Setting up WiFi at the office should be quite similar to this. You place
all the WAPs on an non trusted (DMZ) network off of your internet
router. Then require users of that WiFi network to create VPN
connections to access your trusted network. (Just as they would from
home, or on the road.) These WAPs you control, and this should be good
enough no matter what industry you are in. You can even set WEP and MAC
filtering. I would suggest 802.1x or IPSEC if your WAP will allow it.
Again insure that all communications to the secure network are
encrypted, they will all sit inside an encrypted tunnel so this is
somewhat done for you already. For extra protection set the ACLs on
your firewall/router to prevent this non trusted segment of the DMZ from
accessing the Internet or anything really other then your VPN server.
Thus you will force all traffic to use the VPN, and if someone does hop
onto the network they will probably get bored and stop trying to use it.

As you can see, you are trusting the VPN in both cases. It is the
conduit that is going to be used to access your data, not the WiFi
network. Just as their cable modem connection (as mega non secure as it
is) is not tested because you are depending on the VPN.

-----Original Message-----
From: Cesar Diaz [mailto:cesadiz@yahoo.com]
Sent: Saturday, October 04, 2003 20:16
To: pen-test@securityfocus.com
Subject: Wireless Pent-Test

Remote users in my company have been begging for permission to use
wireless NICs in their laptops for awhile now. When they are not on the
road, most of them work from home and would like to be able to use their
laptops anywhere in their house.

Due to our industry and business requierements, we have to document
every process and method used to access our data and prove that we've
tested the security of our data.In order to let the users go wireless I
have to show that I've tested the security on a wireless network.

  Our idea is to let the users buy wireless routers to connect to their
cable/dsl routers and then wireless PCMCIA or USB cards on the laptop.
We would implement 128 bit WEP security to prevent unauthorized access.
I realize that WEP does not provide for stringent security, but we feel
that by forcing users to change their WEP key regularly we can meet our
requierements.

My question is, how do I test WEP and document wether or not it's
secure? Any way to sniff for WEP keys, or to brute force attack a WEP
session? If there is, how hard is it to set up? How much of a risk of
a wireless connection with WEP enabled to be comprimised other than a
dedicated, brute force attack?

Any information is greatly appreciated.

Cesar

------------------------------------------------------------------------

---
Tired of constantly searching the web for the latest exploits? Tired of
using 300 different tools to do one job? Get CORE IMPACT and get some
rest. www.coresecurity.com/promos/sf_ept2
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

• Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Web application security testing pricing"
• Maybe in reply to: Cesar Diaz: "Wireless Pent-Test"
• Next in thread: Matthew Wagenknecht: "RE: Wireless Pent-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]