It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks.
First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteristics of the RF hardware involved). Watch out for the "RF foundations" inserts through the book; they will be helpful. Layer 1 security is rarely an issue on wired networks, but it should always be investigated first on wireless nets. The initial stage of penetration testing and security auditing on 802.11 LANs should be a proper wireless site survey: finding where the signal from the audited network can be received, how clear the signal is (by looking at the signal-to-noise ratio (SNR)), and how fast the link is in different parts of the network coverage zone. It must also discover
neighboring wireless networks and identify other possible sources of interference.
The site survey serves four major security-related aims:
1. Finding out where the attackers can physically position themselves.
2. Detecting rogue access points and neighbor networks (a possible source of opportunistic or even accidental attacks).
3. Baselining the interference sources to detect abnormal levels of interference in the future, such as the interference intentionally created by a jamming device.
4. Distinguishing network design and configuration problems from security-related issues.
This last point is of particular significance because air is a less reliable medium than copper and fiber and a security-keen administrator can easily confuse
network misconfigurations with security violations, in particular, DoS attacks. For example, a host on wireless network might be unable to discover another wireless host that roamed into a "blind spot" and keeps sending SYN packets. Sensitive IDS alarms go off indicating a SYN flood! At the same time the disappeared host stops sending logs to the syslog server. The security system administrator goes to Defcon 1, but five minutes later everything returns to normal (the roaming user has left the "blind spot"). Another example is an "abnormal" amount of packet fragments coming from the WLAN side. Of course it could be a fragmented nmap or hping2 scan by an intruder or an overly curious user, but most likely it has
something to do with a much larger default maximum transmission unit (MTU) size on a 802.11 LAN (2312 bits on 802.11 vs. approximately 1500 bits on 802.3/Ethernet taking 802.1q/ISL into account). Whereas for a wireless
networker these issues are obvious, for a system administrator not familiar with 802.11 operations they can be a pain in the neck, security and otherwise.
After surveying the network, the next stage of penetration testing is dumping the traffic for analysis and associating with the audited LAN. However, being able to associate to the WLAN is not the end of a penetration test on a wireless network, as many security consultants would have you believe. In fact, it is just a
beginning. If penetration testing is looking at the network through the cracker's eyes, then please do so! Crackers do not attack wireless networks to associate and be happy: They collect and crack passwords, attempt to gain root or
administrator privileges on all vulnerable hosts in a range, find a gateway to the Internet, and connect to external hosts; finally they hide their tracks. Unless the penetration test demonstrated how possible everything just listed is, it has not reached its goal. Later chapters in this book are devoted to precisely
thisdescribing proper penetration testing procedures on 802.11 LANs in detail and providing the instructions for working with the tools included on the
accompanying Web site (http://www.wi-foo.com). Of course new versions of the tools inevitably come out frequently and completely new security software utilities are getting released. At the same time, the process from submitting the book
proposition to seeing the work on the shelves is very lengthy. Nevertheless, we aim to provide the latest versions of everything you need to audit 802.11 LAN security and, at least, what we have described in the book should give you a good direction on where to look for the new releases and tools and what they are
supposed to do. Besides, the accompanying Web site will be continuously
maintained and posted with all recent developments in wireless security and new software releases. Visit it regularly and you won't be disappointed!
Summary
There are a handful of sound reasons why people attack wireless networks and why your WLAN can be next on the crackers' list. Understanding the attackers' motivation is helpful in predicting the risk they present to your wireless network as well as useful in the incident response procedure. Whatever this motivation might be, penetration testing remains the only way to evaluate how susceptible your network is to various types of wireless attackers. To fulfill this function, wireless penetration testing must be structured, well-planned, and emulate the action of a highly skilled Black Hat determined to break in and abuse the tested network.
Chapter 3. Putting the Gear Together: 802.11 Hardware
"You cannot fight to win with an unequipped army."
Mei Yaochen
When reading other books somewhat related to wireless penetration testing or just simple wardriving, the suggested hardware choice is both limited and
amusing. It creates the impression that only this particular laptop brand together with that specific PCMCIA card type are useful for these aims. In reality, much depends on the hardware chosen, but there are precise technical reasons for such selection that are never listed in these sources. These reasons include client card sensitivity in dBm, client card chipset, the presence of connector sockets for an external antenna, client card power emission and consumption level, laptop/PDA battery power life and compatibility with UNIX-like operational systems, and so forth. That said, practically any wireless client card and PCMCIA/CF/SD
slot-containing mobile computer can be used for wireless hacking with some additional tweaking and different grades of efficiency. This is the main message of this
chapter.