RE: Wireless network assessment

From: Martin Walker (martin.walker@ctg.com)
Date: Wed Oct 29 2003 - 11:16:41 EST


I think you will first need to determine what your metrics are and then
how to measure them. I generally use the following metrics. NOTE:
These are notes about a security assessment process NOT a pen test.
Which is what you appear to be asking about. As I am sure you are
aware, the two are very different processes.

0) (achieved through interview process with client) is the architecture
secured appropriately? Measurements include what is the purpose of the
wlan (public hot spot, pt-to-pt between buildings, client access to
sensitive data for pda etc) how devices and clients authenticate to the
network? How does the network authenticate to the device? How is
traffic flow controlled to/from the wired network? What are the
management processes for wireless devices? How is traffic from
different client types associated with the same access point separated
and controlled (imagine a laptop/pda mobile only w/in a specific area, a
robot that travels the campus and a voip wireless device all associating
with the same ap)? How are non-authorized, non-recognized devices
handled during association attempts?

1) how easy is the network to discover? Measurements include is it
cloaked, does the ssid divulge information about the owner, is there
enough signal strength in public access areas (or in the case of shared
building environments, non-client controlled areas) for reception of
traffic?

2) how easily can the captured traffic be viewed/used? Wep, eap/tls (or
some permutation), client vpn. Some combination.

3) how easy would it be to attack/penetrate the network? If vpn, what
non-vpn encrypted traffic can be captured (usually there is a lot, way
more than is safe), can the clients be attacked and a piggyback attack
made. If wep, are weak packets captured? At what rate? Estimate time
to crack based on traffic flow.

4) how easily can the network be connected to and how easy is it to do
it anonymously? Can I associate with access points? Is there
sufficient signal coverage to do so from an anonymous public area (ie if
I have to enter the client premesis, sign in with receptionist, sit in
waiting room next to guard station the network is much safer than if I
can connect while sitting in my car in a busy public access parking
lot)?

5) once connected, what level of access do I have? Can I connect to
management interfaces on the access points? Is the network dhcp? Can I
connect to other wireless devices? Can I connect to arbitrary ports on
internal machines? Can I connect to the internet?

-----Original Message-----
From: Andres Martinez [mailto:artiman@cable.net.co]
Sent: Monday, October 27, 2003 5:49 PM
To: pen-test@securityfocus.com
Subject: Wireless network assessment

I'm ready to perform my first wireless security assessment, I have some
experience performing wired security assesments, more than the tools
that are available to perform the scan, I'm concern for the testing
methodology and procedures since I believe that the nature of the
wireless world it is totally different, can somebody point me to the
right direction

thanks

Andres

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT