Wireless

Erica’s CWNA Study Guide PWO-100

AirMagnet web site provides product-independent background information and offers the AirWise Community Forum.

Troubleshooting tip: Fluke Networks’ new AirCheck™ Wi-Fi Tester was designed to quickly and easily troubleshoot 802.11 a/b/g/n Wi-Fi networks – all in a dedicated hand-held tester [flash interactive demo].

AirMagnet WiFi Analyzer:

• Provides “root-cause” for reported Wi-Fi problems
• Maximize 802.11n efficiencies and investment
• Complete visibility of all Wi-Fi traffic
• Never miss any rogue device or security threat
• Independent ROI analysis of WLAN Infrastructure options
• Audit-ready compliance status
• Audit tool to verify network connectivity and application performance

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It can sniff 802.11b; 802.11a, 802.11g, and 802.11n traffic and supports raw monitoring system and plug-ins which allow sniffing other media.

Change from WEP to WPA, but use strong keys as well.

Problem: You enabled WPA2 using strong pre-shared keys (PSK, or WPA2-Personal). You can copy your strong key to a USB drive and use the USB drive to paste it to your other computing devices. You then learn that entering these strong keys on your mobile phone or other wireless-capable device is difficult to impossible. Do you choose to use weaker keys and expose yourself to a simple dictionary attack, or do you struggle with entering the difficult key?

Anyone can upload a packet capture to WPA CRACKER and have it return the WPA pre-shared key (PSK) in about 20 minutes for $17. Compare with $1,199 for “Elcomsoft Wireless Security Auditor allows network administrators to verify how secure a company’s wireless network is by executing an audit of accessible wireless networks. Featuring patent-pending cost-efficient GPU acceleration technologies, Elcomsoft Wireless Security Auditor attempts to recover the original WPA/WPA2-PSK text passwords in order to test how secure your wireless environment is.” Weak keys are the failure point in any encryption scheme. Get a strong key using Steve Gibson’s free password generator. Don’t worry that you cannot recall such a password; you rarely re-enter it. You rarely change it as well, which is another reason to use a very strong password (and another reason to think that there must be a better solution).

Do not advertise your SSID. Some things you do not advertise. You know your SSID and your key.

Discover hidden SSIDs (and perform many un-neighborly attacks) with MDK3. Watch on Vimeo.

WirelessKeyView recovers all wireless network keys (WEP/WPA) stored in your computer by the ‘Wireless Zero Configuration’ service of Windows XP and by the ‘WLAN AutoConfig’ service of Windows Vista.

Do not leave plug-and-play enabled on your wireless router. Do not configure your wireless router to be in transparent mode. Do not configure your wireless router (and your firewall) to enable peer-to-peer file sharing. Too often people enable unsolicited network traffic to reach the end device. Too often the wireless router is breached and the firewall is breached because they are someone has configured them to leave little protection.

Is this a corporate, not home implementation? Have a concern about your perimeter? Don’t like the idea of someone sitting in your parking lot, sniffing your traffic? You’ve implemented WPA with strong encryption AND strong keys (because an easily guessed password defeats any encryption) and you’re not broadcasting your SSID, so you should be safe. Just in case, though, take that old b/g router and put it a little way into the parking lot, just far enough that eavesdroppers get this router; just far enough that it has the strongest signal. While rogue access points may be considered “evil twins” when the evil-doer has inserted them, you can turn that idea to your advantage. These “tar pit routers” would be configured like production routers. They get power but they don’t get a network drop. Don’t put these “tar pit routers” on your corporate network.

The trick you’re exploiting is: eavesdroppers cannot choose the device they connect to; they get these nearby “tar pit router” devices. When connect successfully (because they’re disgruntled ex-employees, perhaps), they cannot get interesting information. They get stuck on these “tar pit routers”.

Now you need a way to protect these “tar pit routers” from being disconnected from power or stolen. They will be discovered. Alarm them and include them within the range of your security cameras. Do not give in to the temptation of connecting them to the facility network to send an alert when they go off-line. Do not give eavesdroppers a way to acquire more information.

For additional considerations, see:

• Microsoft Technet article Secure Wireless Access Point
• Five steps to eliminate rogue wireless access
• HP Whitepaper: Why Your Firewall, VPN, and IEEE 802.11i Aren’t Enough to Protect Your Network [pdf]

Have a b/g router? (performance tip) Bear in mind that when an 802.11b device connects (at up to 11 Mbps), the 802.11g devices operate at reduced throughput (up to 11 Mbps, not the desired 54 Mbps). Get rid of your 802.11b devices and switch the router to 802.11g only.

Better yet: Move your wireless network to the 802.11a (5 GHz frequency) and get out of the crowded unregulated 2.4 GHz frequency that 802.11b/g/n, garage door openers, handsets, appliances and other consumer devices use.

Wireless Access Point (WAP) tools

• Ekahau HeatMapper, a free Wi-Fi coverage mapping site survey tool.
• Xirrus WiFi tools. Ultra-geeky, and very useful information. Xirrus WiFi Inspector Xirrus Wi-Fi Inspector and Xirrus Wi-Fi Monitor Gadgets/Widgets to troubleshoot 802.11 and detect rogue access points.
• MetaGeek’s free InSSIDer 2 open-source Wi-Fi scanning software. Inspect your WLAN and surrounding networks to troubleshoot competing access points (replacing NetStumbler).

Infrastructure components/elements in mobile IP networks:

• GGSN
• SGSN
• PDSN
• HA
• FA
• VLR
• HLR
• RNC
• MSC
• MGW
• NodeB
• BSC
• PCF

Interfaces in mobile IP networks:

• A8
• 89
• A10/A11
• R-P
• P-I
• AAA
• RADIUS
• Gn
• Gi
• Gb

Services/applications in mobile IP networks:

• WAP
• MMS
• LBS
• AAA
• UMTS
• GPRS
• 1XRTT
• EVDO

AirPatrol Wireless Threat Management products

AirMagnet – Enterprise Wireless Network Security and Troubleshooting

With Karmetasploit [tar.gz] the attacker is a fake access point which responds to any discovery request by wireless clients and announce it self with the SSID of the request. In this way it intercepts and manipulate all traffic. See PaulDotCom Security Weekly episode 208.

In Linksys WAP610N, a SOHO wireless accessing point, unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user. This vulnerability can be exploited by using telnet1111 client.

• Brute forcing Wi-Fi Protected Setup [pdf] by Stefan Viehböck PIN access makes brute force access to remote configuration practical
• Choosing midmarket wireless authentication server infrastructure options by Lisa Phifer
• Safe but simple wireless authentication by Lisa Phifer
• Avoid security risks of Free Public WiFi wireless ad hocs by Lisa Phifer
• Eliminate rogue wireless access points in five steps by Lisa Phifer