In: Categories » Electronics and communication » Network security » Penetration Testing as Your First Line of Defense
| It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks. First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteristics of the RF hardware involved). Layer 1 security is rarely an issue on wired networks, but it should always be investigated first on wireless nets. The initial stage of penetration testing and security auditing on 802.11 LANs should be a proper wireless site survey: finding where the signal from the audited network can be received, how clear the signal is (by looking at the signal-to-noise ratio (SNR)), and how fast the link is in different parts of the network coverage zone. It must also discover neighboring wireless networks and identify other possible sources of interference. The site survey serves four major security-related aims:
This last point is of particular significance because air is a less reliable medium than copper and fiber and a security-keen administrator can easily confuse network misconfigurations with security violations, in particular, DoS attacks. For example, a host on wireless network might be unable to discover another wireless host that roamed into a "blind spot" and keeps sending SYN packets. Sensitive IDS alarms go off indicating a SYN flood! At the same time the disappeared host stops sending logs to the syslog server. The security system administrator goes to Defcon 1, but five minutes later everything returns to normal (the roaming user has left the "blind spot"). Another example is an "abnormal" amount of packet fragments coming from the WLAN side. Of course it could be a fragmented nmap or hping2 scan by an intruder or an overly curious user, but most likely it has something to do with a much larger default maximum transmission unit (MTU) size on a 802.11 LAN (2312 bits on 802.11 vs. approximately 1500 bits on 802.3/Ethernet taking 802.1q/ISL into account). Whereas for a wireless networker these issues are obvious, for a system administrator not familiar with 802.11 operations they can be a pain in the neck, security and otherwise. After surveying the network, the next stage of penetration testing is dumping the traffic for analysis and associating with the audited LAN. However, being able to associate to the WLAN is not the end of a penetration test on a wireless network, as many security consultants would have you believe. In fact, it is just a beginning. If penetration testing is looking at the network through the cracker's eyes, then please do so! Crackers do not attack wireless networks to associate and be happy: They collect and crack passwords, attempt to gain root or administrator privileges on all vulnerable hosts in a range, find a gateway to the Internet, and connect to external hosts; finally they hide their tracks. Unless the penetration test demonstrated how possible everything just listed is, it has not reached its goal. Of course new versions of the tools inevitably come out frequently and completely new security software utilities are getting released. At the same time, the process from submitting the book proposition to seeing the work on the shelves is very lengthy. Nevertheless, we aim to provide the latest versions of everything you need to audit 802.11 LAN security and, at least, what we have described in this article should give you a good direction on where to look for the new releases and tools and what they are supposed to do. Besides, the accompanying Web site will be continuously maintained and posted with all recent developments in wireless security and new software releases. Visit it regularly and you won't be disappointed!
 |
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Can symmetric cryptography meet the requirements of the Biba model, based on the data integrity checks and proper authentication? The answer is "yes," but in a very inefficient way. Recall the practical authentication example with the UNIX (well, Linux in our case) password encryption flaw when DES in ECB is used. Of course, any of the feedback modes or 128-bit block ciphers can be used instead of DES, with the obvious performance penalties. However, in our example, MD5 scales very well. A cryptographic hash function i...
2. 802.11i Wireless Security Standard and WPA
Thus, the main hope of the international 802.11 community and network administrators lies with the 802.11i standard development. Sometimes 802.11i is referred to as the Robust Security Network (RSN) as compared to traditional security network (TSN). The "i" IEEE task group was supposed to produce a new wireless security standard that should have completely replaced legacy WEP by the end of 2003. In the meantime, some bits and pieces of the incoming 802.11i standard have been implemented by wireless equipment and software vendor...
3. Proprietary Improvements to WEP and WEP Usage
The article devoted to the proprietary and standards-based improvements for currently vulnerable 802.11 safeguards. The most publicized 802.11 vulnerability is the insecurity of WEP. We have already reviewed the cryptographic weaknesses of WEP linked to the key IV space reuse and insecure key-from-string generation algorithm. There are also well-known WEP key management issues: All symmetric cipher implementations suffer secure key distribution problems. WEP is no exception. In the original design,...
4. Asymmetric Cryptography
Message authentication using HMACs works just fine, but how do we distribute symmetric cipher keys among the users? We can pass them around on floppies or fancy USB pen-drives with encrypted partitions on them, but what if many users live all over the world? What if the physical key distribution method takes time and the keys must be frequently changed? This is the case with the traditional WEP, which should be rotated every few minutes. Key-encrypting keys (KEKs) were offered as symmetric cipher keys used only to encrypt...
5. Examples and Analysis of Common Wireless Attack Signatures
The best way of knowing these signatures is trying out the tools in question and sniffing out their output: "Attack through defending, defend through attacking" (Dr. Mudge). The best source on wireless network intrusion tool detection and attack signatures we are aware of is Joshua Wright's "Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection" and "Detecting Wireless LAN MAC Address Spoofing" papers. A large part of this tutorial is inspired by these brilliant articles and our experience of analyzing WLAN tr...
6. Deploying a Wireless IDS Solution for Your WLAN
How many IDS solutions that implement the recommendations and follow the guidelines we have already discussed are present on the modern wireless market? The answer is none. There are many wireless IDS solutions that look for illicit MAC addresses and ESSIDs on the monitored WLAN. Some of these solutions are even implemented as specialized hardware devices. Although something is better than nothing, in our opinion such "solutions" are a waste of both money and time. They might also give you a false sense of security. Let's...
7. Hash Functions Their Performance and HMACs
Other widely used hash functions include 128-bit MD5 from RSA Data Security, Inc., which is a very fast and commonly implemented hash. MD5 is traditionally used to encrypt Linux user passwords (hashes start with the "$1$" character), authenticate routing protocols like RIPv2 and OSPF, create checksums of binaries in RPMs, and verify the integrity of Free/OpenBSD ports files. The specifications of MD5 are available in RFC 1321. Host intrusion detection tools like Tripwire (http://www.tripwire.com) use MD5 to take snapshots of a syst...
8. Introduction to Applied Cryptography and Steganography
One can set up a reasonably secure wireless or wired network without knowing which ciphers are used and how the passwords are encrypted. This, however, is not an approach endorsed by us and discussed here. Hacking is about understanding, not blindly following instructions; pressing the buttons without knowing what goes on behind the scenes is a path that leads nowhere. Besides, security and quality of service are tightly interwoven, incorrect selection of the cipher and its implementation method can lead to a secure but sluggish...
9. Streaming Ciphers and Wireless Security
Streaming algorithms were designed to avoid speed and throughput penalties due to the implementation of block symmetric ciphers in CFB and OFB modes when bit-by-bit data encryption is required. Streaming ciphers are based on generating identical keystreams on both encrypting and decrypting sides. The plaintext is XORed with these keystreams to encrypt and decrypt data. To generate the keystream, pseudo-random generators (PRNGs) are used, thus placing stream algorithms somewhere between easy-to-break simple XORing with a predefi...