Which of the following is a simple name given to an AP or wireless network?

Wireless Access Point

A WAP is a device that allows different types of wireless network cards connect without cables, hence wireless, to connect to LANs and access resources, including the Internet. A WAP plugs into a hub or switch and is the device that joins the unwired network to the wired network. As shown earlier, you can put a router or firewall between the wireless network and the wired network providing a secure barrier between the unsecure wireless network and the secure wired network. WAPs support the standards we defined earlier; if you are using an 802.11b WAP then most 802.11b/g/n cards should be able to access them as they all operate on the same 2 GHz frequency. If you have an 802.11a access point you will need an 802.11a card as this is not in the same frequency as the other standards. There are a few access points that support both the 2 GHz and the 5 GHz range. They are rare and expensive. There are also routers that support wireless connections as well. They range from home use to commercial/business use. For home use, you will find Linksys (a Cisco company) routers that will support both wired and wireless access to digital subscriber line (DSL) or cable Internet connections, all the way up to the Cisco 1800 line that are commercial level routers that include a wireless feature set as well as wired connections. The price range runs from $80 to $5,000 depending on the features and level of router you purchase.

Logging

Most wireless access points have the ability to log traffic and connections. It is important to consider logging requirements before an incident occurs. Being able to go back to a specific time when an event is thought to have occurred gives the investigator the ability to analyze and determine whether there was indeed a wireless attack on the network.

The logging on most access points does not provide the kind of granularity required for effective logging. You can set up a wireless IDS/IPS to monitor and log any suspicious wireless activity using wireless sensors. These sensors detect malformed wireless packets and log the data for forensic analysis later.

Investigating wireless attacks is difficult due to the nature of the technology. This is exactly the reason attackers like to use this method to gain access to corporate networks. The best solution is to configure your wireless network securely to ensure that hackers will not be able to gain access easily. If a wireless incident does occur, an investigator can use the same tools the attacker used to determine how the attack was done and decide how much information may have been exposed. Proactively reviewing event logs on servers and network devices is always a good step toward identifying attacks early and handling them appropriately.

Administrative Password

When setting up WAPs, the first thing you should do is change the password on the device. Many devices come preset with the Administrator password set to something like admin. Do not leave these devices in their default state. Anyone who knows that you have this hardware could easily change your WAP configuration with this information.

As with any administrative-level password, you should set a strong password on the WAP administrator account. Most WAP vendors provide Web-based administration for performing configuration tasks such as changing the password.

SSID

The SSID acts like a network name for your wireless access device. It has a 32-character identifier attached to the header of data packets that are sent over the WLAN. When this information is sent from the mobile device to the WAP, it acts like a password, in that devices that cannot provide correct SSID information to the WAP will not gain access to the network.

However, the SSID does not provide wireless security for a couple of reasons. First, the SSID is sent over the network in plaintext and is not encrypted. This means that an outsider can use sniffer software to capture the packets being sent over the network and obtain the SSID from them. Additionally, by default, most broadcast their SSIDs, bringing us to the next section.

SSID Broadcasting

SSID broadcasting makes it easy for wireless clients to find the WAP. You don’t even need to know the SSID of the network in order to configure your client to connect; if the WAP broadcasts its SSID, your client computer will automatically intercept it and provide it in the list of wireless networks that are available for you to connect to.

WEP Settings

Another issue to be aware of is that most WAPs do not have WEP enabled by default. Although WEP has some weaknesses (which we’ll discuss in the next section) and is considered by many to provide weak security, it does provide some security and thus should be enabled as a best practice.

Remember that when you enable WEP on the AP, you also must set the client to use it. On a Windows XP client, follow these steps:

Double-click your wireless connection icon in the system tray or in Control Panel and select Network Connections to open the Connection Status dialog box.

Click Properties.

In the Properties box, click the Wireless Networks tab.

Under Available networks, select the SSID of the network you want to configure.

Click the Configure button.

Under the section labeled Wireless network key (WEP), check the check box that says Data encryption (WEP enabled).

If the key is provided automatically, check the check box that says The key is provided for me automatically.

If the key is not provided automatically, enter the key in the field labeled Network key.

Select the Key format (ASCII characters or hexadecimal digits) and the Key length (40 bits for a 5-character key; 104 bits for a 13-character key).

Wireless “Hacker” Tools to Evaluate Your Network

This section will introduce a few of the many wireless tools that are freely available. There is an inclusive list of Wardriving Tools, Wardriving Software and Wardriving Utilities at http://www.wardrive.net/wardriving/tools/.

FortiAP

FortiAP is an 802.11x wireless access point (AP) offering. As of this writing there are three commercial grade FortiAP models offered by Fortinet, FortiAP-210B, FortiAP-220B, and FortiAP-222B. All three models support 802.11a/b/g/n standards and operate on both 2.4 GHz b/g/n and 5 GHz a/n spectrums. The 210B has single radio whereas the other two have two radios. The 222B can be used outdoors unlike the other two models which are indoor only. Each radio supports multiple wireless clients with ability to span across multiple wireless network segments each with its own SSID and with different access rights. Having multiple radios in a single FortiAP provides options for dedicating certain wireless frequency spectrums to specific uses. A radio could also be dedicated for wireless rogue AP (Access-Point) detection. Rogue detection provides another layer of defense by detecting unauthorized access points being used in your network environment. In addition, on-wire rogue AP detection is possible by leveraging the dedicated wireless radio detected rogue AP MAC address and correlating the FortiGate wireless controller MAC entries from potential wireless user client using the rogue AP on the network. If a rogue AP is detected on your physically connected network (on-wire), the FortiGate has the ability to suppress and block network activities coming from the discovered rogue AP. These APs are used in conjunction with the FortiGate UTM solution acting as a wireless controller for the AP and providing fast roaming capabilities between FortiAPs. The wireless controller function is included in almost all FortiGate models (check datasheet to confirm support). With the FortiGate providing the wireless controller functionality, it adds additional benefit for a secure wireless infrastructure by leveraging all the FortiGate offered UTM features. For further details on the FortiGate built-in wireless controller feature will be covered in Chapter 7 of this book.

Security Audit/Rogue Hunt and Open Penetration Testing

A “rogue” wireless access point (or router) is an unauthorized access point that has been placed on a company LAN behind a corporate firewall. These devices are usually left in their factory default state and are completely open and unsecured. Often installed by a company employee who “just wants wireless in my office,” they fail to understand that a device in that state is equivalent to running it a Category 5 UTP Cable out the window and into the parking lot, where any passerby can use it.

As a matter of course, any company with a LAN should be running routine checks or “rogue hunts” for unauthorized APs as part of their regular network security audits. Often, wireless is neglected because a company does not have any authorized wireless, therefore, it believes that it can safely disregard any wireless checks. Unfortunately this attitude ignores the possibility of any rogue devices being been installed by an unauthorized employee or attacker. A wireless search should be part of any routine security audits.

The information technology worker that is charged with the wireless portion of the audit needs several different types of antennas. First, a low- to moderate-gain omnidirectional antenna in the 5 to 7dBi range is needed for checking the perimeter of a building or campus. This check should be for rogue devices and to see how far the wireless footprint of authorized devices can reasonably be detected from the building or campus.

Next, a moderate gain directional antenna of about 15dBi is needed to confirm that any detected wireless networks lay inside or outside of the audited area. If the detected wireless networks are authorized, or if they are unauthorized but outside of the area, then the wireless portion of the audit may be concluded. If not, then a low gain directional antenna of 8 to 10dBi, or a moderate gain antenna combined with attenuators is needed to track down the location of rogue APs.

This is similar to anyone conducting an open penetration test. Since the test is being conducted with the full knowledge of the company employees, the functions are almost identical to that of the corporate employee conducting a wireless security audit. The worker conducting the open penetration test may want to obtain a higher gain omnidirectional antenna to see how much further out the wireless footprint can be detected, or to conduct any penetration test some distance from the site.

Exploiting Those Weaknesses

A well-configured wireless AP will not stop a determined attacker. Even if the network name and SSID are changed and the secret key is manually reconfigured on all workstations on a somewhat regular basis, the attacker will still take other avenues to compromise the network.

If easy access is available near to the wireless network, such as a parking lot or garage next to the building being attacked, the only thing an attacker needs is patience and AirSnort orWEPCrack. When these applications have captured enough “weak” packets (IV collisions, for example) they are able to determine the secret key currently in use on the network. Quick tests have shown that an average home network can be cracked in an overnight session. This means that to ensure your network protection, you would need to change your WEP key at least two times per day, or keep your eyes open for any vehicles that look suspicious (with an antenna sticking out the window, for instance) parked outside your home or business for hours or days at a time.

If none of these network tools help in determining which default configurations to try, the next step is to scan the traffic for any cleartext information that might be available. Some manufacturers, such as Lucent, have been known to broadcast the SSID in cleartext even when WEP and closed network options are enabled. Using tools such as Ethereal (www.ethereal.com) andTCPDump (www.tcpdump.org) allow the attacker to sniff traffic and analyze it for any cleartext hints they may find.

As a last option, the attacker will go directly after your equipment or install their own. The number of laptops or accessories stolen from travelers is rising each year. At one time these thefts were perpetrated by criminals simply looking to sell the equipment, but as criminals become more savvy, they are also after the information contained within the machines. Once you have access to the equipment, you are able to determine what valid MAC addresses can access the network, what the network SSID is, and what secret keys are to be used.

An attacker does not need to become a burglar in order to acquire this information. A skilled attacker will utilize new and specially designed malware and network tricks to determine the information needed to access your wireless network. A well-scripted Visual Basic script that could arrive in e-mail (targeted spam) or through an infected Web site can extract the information from the user’s machine and upload it to the attacker.

With the size of computers so small today (note the products at www.mynix.com/espace/index.html and www.citydesk.pt/produto_ezgo.htm), it wouldn’t take much for the attacker to simply create a small AP of their own that could be attached to your building or office and look just like another telephone box. Such a device, if placed properly, will attract much less attention than someone camping in a car or van in your parking lot.

Isolating the network

Because penetration testing can be a dangerous activity, it is imperative that a penetration test lab be completely isolated from any other network. This produces some problems, such as having no internet connection to look up vulnerability and exploit information or to download patches, applications, and tools. However, to guarantee that nothing in your network leaks out, you must take every precaution to make sure your network does not communicate with any other network.

Admittedly, this becomes problematic when your network contains wireless appliances. In most cases, penetration testing is conducted over wired connections, but on occasion wireless networks are valid penetration testing targets. This presents a difficult question: How do you isolate a penetration test lab with wireless access from other networks? The answer: You do not; it is not necessary.

To explain what that means, we’ll talk a bit about the objective of hacking a wireless access point. In a real penetration test involving a wireless network (or any network, for that matter), first the penetration test team needs to gain access to the network. It doesn’t matter whether that connection is via the wireless portion of the network or a plug in the wall. All that matters is that access is established. Once the network access is accomplished, the penetration testers move on to selecting targets using techniques that work over either wireless or wired networks (it does not matter which).

So, back to the question of how you isolate a penetration test lab with wireless access: You should have two separate labs: a wireless lab where you only practice breaking into the wireless access point and a separate lab where you conduct your system attacks. Once you feel confident you can break into the network over the wireless lab, you should move over to the wired penetration test lab and give yourself the same access to that network as what you would have by penetrating the wireless access point. That way, all future attacks are isolated and are not exposing other networks to your efforts. In addition, your activities cannot be monitored, which is (obviously) not necessarily the case over a wireless network.

In situations in which multiple wireless access points are in the vicinity of your wireless lab, you must be extremely careful that you attack only your lab and no other wireless network. After scanning for wireless networks, make absolutely certain that any cracking against the access point is really performed against your intended target. It is sometimes extremely easy, especially with automated tools, to test an unintended target. This can have very negative consequences.

Epic Fail

A scenario occurred where a security researcher set up a wireless lab at his home which is located near a police station. It turned out that the local police department had the same wireless configuration he had intended to use for testing purposes. After further reviewing the discovered networks, he noted that the police department set up their wireless access point with no encryption. Needless to say, if he had simply started some automated tools and started to hack away, he might have been hacking an access point owned by the police. It is unlikely that they would have taken kindly to his activities.

The good thing about wireless attacks is that the standard practice is to pinpoint your attacks against one access point using the Media Access Control (MAC) address unique to your lab’s wireless access point. As long as you are careful, there should be no problem. However, if this is not acceptable, it is possible to shield a room from leaking out radio waves (which we will not cover in this chapter). If you or your employer decides it is important enough to do, you can create a completely isolated wireless network with enough effort and funding. Whatever you do, just understand that you will be dealing with viruses, worms, and more, which can quickly bring any network to its knees.

What is another name for a wireless access point?

What is the name of a wireless network?

What is a wireless AP device?

What are the 3 main types of wireless networks?