Auditing Wireless Security

As in the wired world of networking, one of the most important parts of securing an environment is "checking your work." Auditing makes sure the security measures you have in place are working as you expected them to. It is a good practice when auditing security to make a list of your defenses and then write down some tests to prove that the defenses are working, followed by a list of expected outcomes and finally a place to describe what the outcome of the audit actually was. When the audit is complete, this will provide an excellent tool to refer back to in a "lessons learned" meeting if you ever face a successful intrusion or attack. It will help you determine if an issue was introduced after the initial design implementation that enabled the incident or perhaps help you discover flaws in your own auditing techniques. Auditing is sufficiently important that we have an entire chapter dedicated to it (Chapter 22, "Assessment Techniques"), where we go into the process of network security auditing in great detail. However, this section will provide information specifically dealing with the tools and techniques used for the auditing of wireless networks only.

A number of software programs allow network professionals to audit the security of their wireless networks, including wireless sniffers, encryption-cracking tools, and AP detectors. In the following sections we will discuss some of the more useful of these tools and describe techniques that can be used to verify the security of a wireless network.

Auditing the Wireless Network Design

Despite the best laid plans of mice and men, network security holes still happen. You can lay out the ultimate network design on paper, but one mistake while implementing a firewall rule can bring your whole network to its knees. That is why running audits against what your design should secure is an important part of the design itself.

Auditing Network Controls

No matter what design methodology you use to separate your wireless and wired networks (even the absence of separation is a design decision), it is imperative to determine what resources an attacker would be able to gain access to once he is connected to your wireless network. To verify this connectivity, make a list of critical resources you would not want an attacker to be able to contact. Then, using one of your wireless clients, run tests using common wired network security tools, such as port scanners, firewalk, and vulnerability scanners. If you can access your critical resources, a motivated attacker will be able to as well. Use the information gleaned from the audits to bolster your network design's security.

Auditing Signal Leakage

For this audit you are going for a walk, literally. Grab your favorite laptop and load it up with tools to see what's going on in the atmosphere around your workplace. It is advisable that you wield an external antenna, similar to the ones an attacker would use, to increase your range. The small omni-directional antennas that are integrated into most wireless PC cards have a fraction of the range of a directional antenna such as a Yagi. A chart of wireless coverage for an omni-directional antenna is almost spherical, whereas a Yagi directional antenna is more like a column stretching many times the distance of the "omni" in the direction the antenna is being pointed.


Remember that a wireless signal can be affected by interference, reflection, and outside factors. Though you may not be able to access your network from the parking lot today, you may be able to hit it from beyond there next week. Perform regular audits with varying equipment and tools, but don't rely on signal control as your sole defense mechanism.

Start by walking the perimeter of your environment with a tool such as Netstumbler ( or, even better, Kismet (, which can find any valid access points you are using. Netstumbler is easy to load, easier to use, and can be run on popular handheld devices (Mini-Stumbler) as well as the ever-pervasive Windows operating systems. However, it relies on the passive reception of SSID broadcasts to detect APs and does not look beyond them. Do not rely on Netstumbler as your sole auditing tool because you'll gain a false sense of security with your results. Other programs such as Kismet are proactive and search out wireless packets to find APs and wireless networks. Kismet, however, is currently only available for Linux. In any case, either program may be used by an attacker looking for your network. When walking the grounds with either tool, take note of which APs can be located from public areas, including lobbies, restrooms, and other publicly accessible areas in your building. Finally, take a walk through your building and pay particular attention to SSIDs you don't recognize. A major security hole can be added to the most secure network when an end user deploys his own access point or configures a wireless NIC to be part of its own ad hoc environment. Believe it or not, this happens more often than you would expect. An executive feels tethered to his desk by a network cable, so he plugs in an AP (running without encryption, of course) and pops a wireless NIC in to his laptop. Talk about an attacker's dream!

Another good practice is running a sniffer capable of examining wireless trafficsuch as Airmagnet, Ethereal (, or the likeand examining the information you are sending in the clear. You might be interested to find out what information an attacker can see even when your network is properly protected by MAC address lockdown, disabled SSID broadcasts, and strong encryption. Also confirm that the encryption protocols running on your network are the ones you deployed. Knowing your weaknesses is the first step in buttressing your fortress!

Auditing Encryption

Once you are confident the information being sent through the air in your environment is all encrypted, it is a good idea to run any available cracking tools to confirm that your encryption implementation is sound. Running searches on the Internet and exploiting websites such as should provide you with plenty of material to try. Here is a list of popular tools for various encryption types:

  • WEPCrack The first open source WEP cracking tool (

  • AirSnort A wireless sniffer that guesses WEP keys (

  • WEP Wedgie A tool used to inject traffic into a WEP conversation to speed the cracking of WEP (

  • AirCrack A fast WEP-cracking tool (

  • BSD Airtools A variety of wireless auditing tools for BSD, including a WEP cracker (

  • Asleap A dictionary-based password attack on the LEAP protocol (

  • WPACrack A tool that runs offline dictionary attacks against WPA implemented with pre-shared keys (


AirSnort is a freeware Linux-based sniffer that intercepts and decodes WEP-encrypted packets (it has also recently been ported to Windows XP). AirSnort can be used by promiscuously capturing wireless packets. After approximately 100MB1GB of wireless data has been gathered, AirSnort can "guess the encryption password in under a second."11 AirSnort accomplishes this by exploiting a vulnerability in the key scheduling algorithm of RC4, discovered by Scott Fluhrer, Itsik Mantin, and Adi Shamir (as discussed in the section on WEP encryption, earlier in this chapter).

AirSnort needs to collect wireless packets before cracking the WEP password because, according to the program's documentation, out of 16 million 128-bit WEP keys that wireless cards can generate, about 3,000 are considered "weak." After the program gathers enough "weak" WEP key packets, it is able to decipher the WEP password and decode WEP-protected packets.

Do not consider this list as exhaustive. New vulnerabilities may appear at any time, and you need to update your auditing tools as regularly as your attackers will.

    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: