ISSAF 0.2 WLAN Security Assessment

Information System Security Assessment Framework (ISSAF) 0.2 has detailed methodology and how to about Wirelesss Security Assessment. This document can be downloaded at
http://www.oissg.org/downloads/issaf-0.2/index.php
Below the summary of the Wireless LAN Security Assessment

Information Gathering
Wireless access points and clients send beacons and broadcasts respectively. Beacons are sent by APs at predefined intervals. They are invitations and driving directions that enable the client to find the AP and configure the appropriate settings to communicate. A beacon announces the SSID and the channel that the network is using. WLAN scanners allow users to identify WLANs through the use of a wireless network interface card (NIC) running in monitor mode and software that will probe for APs. Linux has Kismet which is not graphical and not as user friendly as NetStumbler, but it provides superior functionality. Kismet is a WLAN sniffer, where NetStumbler is a scanner.

Scanning
- Detect and Identify the wireless network
- Test for channels and ESSID
- Test the beacon broadcast frame and recording of broadcast information
- Test for rogue access points from outside the facility
- IP address collection of access points and clients
- MAC address collection of access points and clients
- Detect and Identify the wireless network
- Audit & Review – Questionnaire

Audit and Review Questionnaire on the following controls:
- Implementation Controls
- Access control
- Access control could be based upon the MAC address of the connecting devices.
- Firewall settings
- Between wire and wireless side
- Technical Controls
- Ports on Device
- The built-in COM ports of the access point should be disabled or password protected to prevent any unauthorized access to the access points. All unnecessary services and ports in the access points should be removed or closed.

SNMP
- The default SNMP community string should be changed if the access point has SNMP agent running on it. This is to prevent an attacker from reading or writing to the access point.
- Is the SSID Broadcast off?
- Use of Default SSID name?
- Beacon interval
- Beacon interval of SSID should be set to the maximum setting to make passive scanning more difficult.
- Has firmware been updated?
- Management Controls
- Usage Policy
- Try to find if any usage policy has been implemented on the wireless device. E.g. linksys allows building such policy based upon day/time.
- Security Analysis and Research
- Determining WEP enabled access points
- Capturing WEP encrypted data
- Intercepting valid client MAC addresses
- Configuration menu access - using browser interface, using Telnet, using SNMP, using

FTP
- Determine types of authentication methods in place
- Determining the origin of the access point(s)
- Communication with access point(s)
- Utilization of client cards (with or without WEP)
- Emphasize collecting data transmitted over the 802.11 wireless networks
- Search for requested “specific” sensitive data

Exploitation & Attacks
1. Identifying WEP keys
2. To crack a WEP key, one has to capture at least 150.000 encrypted packets for 64-bit and 300.000 packets for 128-bit WEP encryption. More is recommended. This is not always successful. (Kismet)
3. Tools to extract the WEP key via statistical attacks: WepLab, AirCrack Suite, WepCrack
4. Tools to help in injecting encrypted packets (aka Replay-attack) into WEPencrypted network to speed up collecting needed amount of WEPencrypted packets: AirCrack Suite
5. Bypassing MAC filtering
6. MAC filtering could be bypassed by any of the following tools
7. SMAC
8. This is a tool that allows the MAC in the windows machine to be changed. This would help an attacker to spoof a MAC.
9. Bwmachak
10. Command line tool to change ORiNOCO PCMCIA Mac Address which works on windows 2000 and Windows XP from blackwave.
11. Ifconfig
12. In a unix(linux) machine the ifconfig could be used to reassign the MAC address.
13. Targeting authenticated data (i.e. usernames and passwords) The use of protocol analyzers helps in the targeting of authenticated data , these include ethereal, tcpdump (with scripts).
14. Network Logon functions
15. Disassociation attack
16. This is achieved by spoofed de-authentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoS, and can also retrieve hidden SSID when client re-authenticates. This could be achieved by using tools such as AirJack , essid-jack and monkey-jack.

MITM Attack
MITM attacks on a wireless network are significantly easier to mount than against physical networks, typically because such attacks on a wired network require some sort of access to the network. Man-in-the-middle attacks take two common forms:
- eavesdropping
- manipulation
In eavesdropping, an attacker listens to a set of transmissions to and from different hosts even though the attacker's computer isnot a party to the transaction. Many relate this type of attack to a leak, in which sensitive information could be disclosed to a third party without the legitimate users' knowledge. Manipulation attacks build on the capability of eavesdropping by taking this unauthorized receipt of a data stream and changing its contents to suit a certain purpose of the attacker this could include spoofing an IP address, changing a MAC address to emulate another host, or some other type of modification. To prevent this kind of attacks one must encrypt the contents of a data transmission at several levels, preferably using SSH, SSL, or IPsec.
- Brute force Base station Password
- Scanning the Network and beyond
- Identifying the services in the clients and trying to exploit them.