How to perform a red-team wireless audit on the cheap
Just a brain dump of some stuff I was working on, I will add links later. First step for a wireless pentest at a specific location, is to verify that wireless networks are in use, and then determine the level of security employed at access points. This can be done using a “stumbling” tool, such as Netstumbler, airsnort, or kismet. To test signal strength, a antennae can be used to determine how well localized the internal WLAN is centered. Access points which are set to max power on transmit can sometimes be accessed from many blocks away from the target location. There are many open-source, and retail applications that can perform this task. The objective is simply to verify that an access point is available, and to determine if advanced association level authentication is being used for the access point. If no association level security is in place, the Access Point (AP) is considered “Open” and offers no level of security to it’s users, and allows an attacker free access onto the Wireless network and any wired networks that are attached. Examples of secured association level authentication are; WEP, WPA, WPA2, LEAP, and PEAP. In depth discussion of these protocols is strictly out of scope, however it is generally excepted that WEP is no longer considered “secure”, due to the ease of breaking WEP keys. WPA, WPA2, LEAP, and PEAP are more secure than WEP, however rely on the strength of the passphrase used, hense they are still at risk to dictionary based attacks. Once the level of association authentication security is determined via the stumbling tool, an attacker can then plan their method of attack. For WEP based WLAN’s the attack is simple, gather enough “special” packets via a packet generator such as “aireplay”, and then run that data through a WEP breaking utility such as wepcrack, or aircrack. This will result in the WEP key which can then be used to associate with the AP. WPA v1 is vulnerable to a passive dictionary attack against the passphrase, and can be exploited via tools such as WPA_cracker, from the makers of tinyPEAP. For other more advanced association protocols, tools such as fakeAP, AirNinja, and void11 can be used to disassociate users, and have them associate on a “spoofed” AP, the gathered keys can then be used to possibly associate with the target AP. For most secured wireless networks, the attackers are stopped here via strong passphrases and MAC based filters on the AP’s which should have a list of known good NICs which can be allowed to associate. An attacker may try to change the attacking MAC address via tools such as SMAC, or builtin functions of the various UNIX operating systems. Once associated a variety of options are now available to the attacker. They have free run to try MITM attacks with such tools as ettercap, or can use mapping utils such as nmap, and nessus to find vulnerable machines. A reverse tunnel can be setup via httptunnel to pipe other access through firewalls.