We’ve received a few messages following on from our previous penetration testing tool articles, asking about the best penetration testing tools for WiFi assessments, so let’s take a look. Firstly, what are the potential security issues with WiFi?
Many readers will be used to utilising unencrypted guest and public WiFi on their travels. The main problem here is protecting against the various types of man-in-the-middle attacks unencrypted WiFi can facilitate. From simple ARP poisoning attacks, to fake access points, the potential for intercepting traffic is considerable. We can use a number of different security tools to facilitate such attacks:
Ettercap uses ARP poisoning to perform man-in-the-middle attacks, and can modify data on-the-fly. This feature can be very useful in spoofing DNS responses in order to guide the target to a fake, lookalike website hosted purely to harvest authentication credentials.
Mana is a powerful WiFi assessment tool that allows you to perform a more modern (and hence effective) version of the Karma attack: Karma attacks work on the fact that once your mobile device has been paired to a WiFi network, it will constantly beacon for the remembered network name whenever it is out of WiFi range. This is why your phone re-connects to your favourite restaurant’s WiFi when you walk in, without you having to tell it to. It will actively look for and try to reconnect to any WiFi network it was once part of, unless configured otherwise. Mana answers these beacon requests with a resounding yes. This results in the mobile device connecting to the rogue Mana access point, and routing Internet traffic via the rogue AP. If the rouge AP has some kind of Internet connection, then it’s just inserted itself seamlessly into the mobile device’s data path.
So what can we do to stop these attacks? Encrypted protocols such as HTTPS and SSH can provide an effective safeguard if we take certificate warnings within our device’s web browser seriously and all of our apps correctly validate the server’s certificate. Sadly, all too often this is not the case and many app assessments that we perform render man-in-the-middle attacks possible due to insufficient certificate validation.
By the mid noughties, WEP’s security had more holes than a swiss cheese. With that in mind, you wouldn’t expect to see it in use anymore. Surprisingly, however, we still see it in warehouse and industrial applications where the refresh cycle is considerably slower than typical IT infrastructure. Barcode scanners for example, really aren’t the most frequently upgraded systems. On the odd occasion we do still come across a WEP encrypted network, only one tool is needed to break it with ease:
Aircrack-ng is one of the original WiFi penetration testing tools, which can punch a hole in WEP protected networks via just about every known cryptographic flaw known. Different attacks can take wildly different times to implement, but attacking a WEP network in under an hour is not unusual by any means.
WPA2-PSK’s security is almost entirely based in the entropy of the passphrase in use. Use a decent passphrase, change it as appropriate (devices get compromised/lost/stolen) and you have a reasonable basis for a small, low-security network (assuming WPA2 AES encryption is used, and not TKIP). It’s possible to use aircrack-ng to capture the four way handshake that takes place as a client associates with a WPA2-PSK network, and run it against a dictionary/brute-force attack to obtain the PSK.This is however, computationally intensive: Your average i7 CPU will struggle to put much of a dent in even a small word-list. This type of attack needs muscle, which can now be bought quite cheaply: Slinging all those pixels around your monitor is a massive mathematically undertaking, so the GPUs in your graphics card are just the job to perform the heavy lifting of WPA cracking.
These tools allow the penetration tester to harness GPU power in order to attempt dictionary/brute-force attacks against PSK handshakes. Multiple cards are supported, and nothing gives you the heavy-metal mainframe feel of yesteryear quite like a bunch of potent GPUs cracking numbers. It’s still, in real-terms, a fairly slow process, but if the PSK is predictable, it works.
Like WPA2 PSK, WPA2 Enterprise has stood the test of time quite well. Two attacks are feasible, depending on the configuration of the network:
Attacking weak EAP types
WPA2 Enterprise utilises the EAP (Extensible Authentication Protocol ) framework to provide authentication functionality. EAP provides the ability to use a wide range of EAP-types, the security of which vary wildly. Identifying insecure EAP types such as LEAP, requires nothing more than our good old friend Wireshark
Tools such as Asleap can help exploit WPA2 Enterprise networks with weak EAP types such as LEAP.
If a WPA2 Enterprise client isn’t configured to validate the certificate of the access point it’s authenticating against, then a fake AP with an identical network name can be configured, and the RADIUS authentication captured from a legitimate device. This can be attacked using dictionary/brute-force means in much the same way as any other encrypted material. The tool for this job is Easy Creds which even sets up your fake RADIUS server.
WiFi Protected Setup
To me, this is one of the more interesting attacks, because it’s still prevalent in a lot of SOHO network infrastructure, and it really didn’t receive the press that previous vulnerabilities such as WEP enjoyed. WPS is designed to allow the easy addition of devices to a WiFi network. Often, a PIN number is entered on the device wishing to join the network. Unfortunately, that PIN number can be brute-forced in 24 hours using a tool such as Reaver. The main problem with WPS is the PIN number, much like the old Windows LanMan hash, is checked in two halves, greatly reducing the entropy. Once it’s been brute-forced, the PSK key is yours.
It isn’t hard to build a reasonably secure WiFi network (accepting of course the DoS risk, which cannot be easily mitigated), but like most things relating to technical security, the default configuration is just the beginning.