Wireless Penetration Testing: Not Just For Hackers

Aug 29, 2011 (10:08 AM EDT)

Read the Original Article at

Midsummer in Las Vegas is to geeks, hackers, and IT security pros what mid-April in Augusta is to golf fanatics: an opportunity to watch the best in their respective fields strut their stuff. One could aptly term the twin Vegas conferences, the "official" legitimized Black Hat and no-holds-barred Def Con, the "Masters" of the computer security world. Packed with presentations on innovative exploits, demonstrations of new security software, and competitive hacker challenges, these conferences are invaluable sources of information for security-minded amateurs and professionals alike.

Unfortunately for the rest of IT, they represent an annual horror show demonstrating just how pathetic your security defenses actually are.

You don't even have to be there, either. Just browsing the agenda, reading presentations, and following the stream of news releases is enough to turn anyone into a paranoid, tin-foil-hat-wearing basket case, seeing security doomsday in every email attachment, Web link, or computer glitch. While that's a natural reaction, it's not very productive. Better to use the events as an occasion for annual personal and organizational examination and as motivation to make a new year's worth of security resolutions.

One area where IT can never be too mindful, defensive, and proactive is in wireless security, particularly now that wireless LANs have become the lifeblood of mobile devices and their apps. Enter wireless penetration testing. Pen testing is one of those seamy activities, like undercover police work, that feels dirty but necessary. You imagine yourself as Marshal Dillon, but you're more like Frank Serpico.

In case you haven't noticed, the tools for wireless penetration testing have turned into something of a cottage industry. There are now full-blown suites that do everything from automatically impersonate access points and initiate man-in-the-middle (MITM) attacks to sniff and decrypt private network (WEP and WPA) traffic. While the development and innovation in wireless hacking -- tools like Kismet, Karmetasploit, and Aircrack-ng -- comes from the open source hacker community, finding the correct tools and piecing them together into a coherent penetration test regime gets complicated (witness this handy flow chart). Here's where commercial software comes in, exemplified by two interesting new products.

The first, Silica from Immunity, is a veritable Swiss army knife of wireless hacking. Like most of the best security software collections, such as the incomparable BackTrack, Silica runs on Linux; however, it's distributed as a bootable USB drive (for native operation) and virtual machine image (i.e. virtual appliance), making it easy to run on any Intel laptop. What makes Silica interesting and particularly useful (or dangerous, depending on your perspective) is that it combines the features of network and client exploitation tools. Namely, once Silica has compromised a network (by, say, cracking the key) or wireless client (via MITM), it can unleash a host of client penetration exploits, much like Metasploit. For example, most Windows clients cache WEP and WPA2 keys for secured networks they have previously authenticated with (so-called PMK caching). If Silica successfully penetrates said client, it can pull all the cached keys (in plain text), allowing unfettered access to a new set of WLANs.

Of course, Silica also does packet capture and analysis a la Wireshark, so once you're on an encrypted network, you view all of the client traffic. In sum, if you want to see both how susceptible your WLANs are to every known attack (Silica comes with an update subscription) and how vulnerable wireless clients are to network exploits, Silica is your tool. Here's a nice video demo illustrating the features and interface, courtesy of Hak5.

The second, Core Impact Pro from Core Security, is perhaps the first to specifically address mobile device (Android, BlackBerry, and iOS) vulnerabilities. Like Silica, Core Impact offers a full set of pen-testing features, including Wi-Fi network reconnaissance, encrypted network cracking, MITM client attacks, SSID impersonation, automated traffic sniffing and packet analysis, and integration with Core's wired and application-testing modules to emulate a multistage assault in which an attacker uses the WLAN as a jumping-off point to get at back-end databases and Web servers. Just added is the ability to target mobile clients with exploits specially crafted for mobile operating systems and usage patterns. For example, Core Impact can send phishing emails and SMS messages, or intercept, redirect, and impersonate Web traffic, in an effort to get users to install a malicious mobile app or divulge personal information. Once a device is compromised, the software can extract phone and SMS logs and GPS location data and contact information, and even activate the device's camera.

Like any tool, penetration testers can be used with the best (white hat) or worst (black hat) of intentions, and the fact that these things exist at all should be a frightening prospect to anyone charged with network security. But the bottom line is, you can't plug holes you don't know about, and if your org is a high-value target, like any firm handling financial, personal, or sensitive information, you can bet there's someone trying to find cracks in your defenses. Although the latest commercial tools sport point-and-click GUIs, they don't replace a solid understanding of network protocols and client exploitation techniques, meaning they're best left in the hands of a security expert. If you don't have a black-belt security master on your staff, find a consultant who knows how to drive these, or similar tools, to assess the strength of your WLAN defenses.

For all their value as premier sources of information, the summer ritual of Vegas hack-a-thons can also serve as a call for renewed security vigilance -- in this case, by seeing your wireless network through the eyes of an attacker.