Wednesday, March 20, 2013

How to use your standard Windows notebook as a wireless security audit tool

As a "security professional" you may have a requirement to perform an audit on a clients WiFi setup. Instead of purchasing an expensive tool that is supposed to enable you to do this I suggest that you can perform most of what is needed with a Standard Windows notebook.

A basic audit of a wireless network involves the determination of the security settings of that network. This can be done without the use of any special software or hardware. Many so-called "penetration" tools will tell you little more than you can determine with your notebook:

A list of wireless connections showing the SSID and security settings
Your client may not be aware that they have an unsecured network and the simple list that you can see using your Windows computer will show them clearly what connections are protected and those that are not.

The vendors of equipment that purport to offer you a more detailed idea of what your vulnerability is in a given situation are often just "spinning you a line". The tools that they are using merely reveal the same information but possibly on a screen the looks more "important" (as it is from a Linux application):

WiFite v2 is an example

Shown above is a screen from WiFite, a tool that is available on some penetration tools. All this is telling you is that there are 3 wireless devices detected. IT DOES NOT tell you whether the connections are secured or not. In addition, it is suspected that the 3 devices determined above a just the internal devices that the Linux operating system can see AND NOT ones that you potentially want to log-on to or even "hack".

A client will be more concerned if they are operating a system that is unsecured and may require your services to make their system secure, setting the encryption on their routers and wireless access points. Seeing as the marketing of devices that claim to offer "security professionals" tools to enable them to advise their potential clients on how not "To Get Pwnd" surely if is better to use a tool, a PC that they are familiar with, to show them.

As for "hacking" systems you will need far more sophisticated tools to allow the inspection of data traffic and the interpretation of such data. The ability to determine a password or the content of the payload is a VERY complex and time consuming exercise. The level of security also is a feature of the encryption method used, but I am sure that you know all about that!

7 comments:

Anonymous said...

I'm guessing from your post that you don't really know what WiFite is showing you in your screen shot. The 3 wireless devices listed are not networks to be tested. Rather, they are the actual wifi adapters that are attached to the computer running WiFite. There's nothing for the app to show with regards to security as you don't secure the individual adapters as you imply. This is simply a list of hardware available on the pc.

Now, using the standard Windows interface for determining the security level of a given network is a first step, but it's a baby step at best. I'm sure you realize that tools such as Aircrack-ng and Reaver are used to actually test secured wifi networks and can have a great deal of success against weakly secured networks. Even WPA networks are easily susceptible to unauthorized users joining if they are not configured properly. These tools, along with other tools such as WiFite are invaluable to companies that are serious about making sure their resources are protected. This protection goes much further than just seeing if you have WEP or WPA turned on.

Once a connection to a wifi has been made, it's relatively simple to use techniques such as ARP poisoning to begin more malicious activities such as stealing cookies, sniffing passwords, and even injecting scripts into web page requests. Many tools exist to automate this and work very well. It's far from being a "VERY complex and time consuming exercise" as you put it.

There is a great need for those that have an interest and skills in creating a secure and safe computing environment. Using tools that can demonstrate practical applications of what are generally very technical weaknesses is a powerful way to get non-technical people to understand just how vulnerable they can be. Only once we understand and accept our vulnerabilities can we begin to truly work towards creating a safer environment.

UK Musings said...

Thank you Pwnie Express

You have just confirmed what I was saying!

You are also confirming my interpretation of the WiFite screen. It is telling the user of a device such as the Pwn Pad nothing! My point WAS that the display shows only the devices available on the PC that the application was run.

There is no unsafe environment, it is just a stance that companies like yours are trying to promote. Time will tell if people "buy-in" to this nonsense - I for one will do all I can to dispel these myths.

Anonymous said...

LOL, sorry, I'm unfortunately not an employee of Pwnie Express. Just a long time programmer that has some recent experience in security due to my current assignment. I'd be willing to bet they appreciate the free advertising you're getting them though, just by talking about their tools.

Now, if you bother to actually USE WiFite, you'll see what it does. It will get you to a point where it shows you the networks around you and how they are secured. See how it has a prompt to select which adapter to put into monitor mode? Google that and you'll see what that means. I'm willing to bet you won't put the time into that as you clearly have a vendetta against people involved in IT security.

So no, once again, you've failed to prove anything. I'm not from Pwnie Express, but I'm far from wrong. Do you believe that all of the reports of hacks in the media are false? I sure hope not. Take the time to read up on some of the tools listed as part of Kali, Backtrack, and yes even the Pwn Pad and you'll see the potential for these tools. Or even better, attend Def Con or Black Hat and learn how to use them for yourself. You might find that it's more fun to understand how and why things work than it is to just rant about topics you have no clue about.

UK Musings said...

You really think that I have no clue!

There is no vendetta - I am an IT Security Professional". It is people like you that I am trying to expose.

As far as the free advertising - you are witness to the fact that you are now part of the disclosure of the falsehood that companies such as Pwnie Express try to perpetuate. I didn't for one minute think that you were an employee of said company, but it sure did incite a response!

A long-time programmer.

Anonymous said...

Truthfully yes, I think you have no clue. You've given me no reason to believe anything else. There is empirical evidence that hacks, even against wifi, are successful and happen all the time. The belief that "there is no unsafe environment" is reckless at best and is flat out untrue. Answer any one of the questions I've posted and I'll believe you have a clue. I'm not too worried about being proven wrong though.

However, you seem to be either set in your convictions or trolling for attention. You are free to post as you see fit. However, I'm certainly not the enemy here. I'm simply trying to challenge you to learn before you post untruths or at least acknowledge that you don't know what you are talking about and are simple lashing out against a product you don't understand and don't like.

If you truly are an IT Security Professional, you have a very interesting method of working with customers. I can't see that convincing people that there are no vulnerabilities and every environment is completely safe would generate much return business, not that any reasonable person would believe you. Do you actually get any security work, or so you just wish you did?

Finally, I'm perfectly content to be a part of advertising for companies like Pwnie Express. They make a product that I like and the fact that they post their work for free download so that I don't have to pay their prices makes it even better. But I guess you won't respond to that comment as it's yet another one that proves you wrong.

UK Musings said...

I am very pleased that Pwnie Express are making their downloads free of charge (to directly answer your comment). It will just serve to illustrate the folly of their product and those that are part of this "manufactured" industry.

I love the product, it is just that it is "bullshit".

I have many other comments to make regarding the points that you make. As far as not knowing about what I talk, I would suggest that this is a very great assumption on your part.

I will continue to post (what you deem to be "untruths") on my website - not on this blog.

I would suggest that YOU think of another line of work. Maybe I don't know what I am talking about (if an acknowledgement of that is what you are after) I am just reporting things as I see them. On the subject of getting security work, I don't need to as I am retired and have made enough advising those that are thinking of hiring the services of charlatans to save their money.

and yes, I do think that vulnerabilities are over-played and that reports that you read in the press are just "scare-mongering". I did not say there was NO risk and the statement that there was no such thing as an "unsafe environment" was a reaction to the blind acceptance that there was a big problem and people such as you can help out.

A finally, to coin a phrase, I don't think that you could ever be proven wrong (at least in your estimation).

Anonymous said...

You certainly have an interesting take on things and one I've never encountered before. While I think that skepticism is a very healthy and much needed trait, it should be tempered with a willingness to learn for oneself and not rely on what the media feeds us. It's too bad that a retired engineer has lost the drive to experiment and learn, but I guess that can happen.

That said, I hardly think that companies such as Sony, Nortel, or any of the others that have reported major break-ins over the past few years would do that thinking it would generate positive press for them. How much money did Sony lose over their break-in? Quite a bit from what I remember. Not really a good enough reason to claim they were hacked. Though if you can think of a way it was, I'd love to hear it.

You did in fact say that there is no such thing as an unsafe environment (First sentence of the third paragraph in your comment made at 7:08) and to be fair,that would imply that there is no risk. But now you say you didn't mean that. So that to me would indicate that there is in fact a need to test all aspects of an environment, otherwise, you can't say that you've done all you can to secure it, now can you? Why is having a tool to do it such a bad thing? Why is using a tool designed to check for known, proven exploits a bad thing? I don't think anybody is forcing you to buy any of the tools that are freely available as well as being commercially available, but I could be wrong. Once again, I don't think I am.

I'm perfectly content in my current position. Though my primary job is not full time security, I hope to change that as I expand my knowledge. I find it much more rewarding to learn about new exploits and help people not in the industry understand them than I ever would if I were to downplay what I know can happen. I know what can happen because I'm willing to set up, test, and experiment with information and tools that are available for just this sort of thing. Perhaps you might find some joy in doing the same.

Finally, I'm completely willing to be wrong. So willing in fact, that if you can empirically prove that wifi tools such as Aircrack-ng and Reaver do NOT work, I'll post a public apology here for everybody to see. Again, I'm not worried about being proven wrong, but I would love to see you try. If for no other reason that you might start to understand something that you clearly don't.