Wireless Penetration - Vulnerabilities and Resources
To prevent an eavesdropping attack, one must encrypt the contents of a data transmission at several levels, preferably using SSH, SSL, or IPsec. Otherwise, large amounts of traffic containing private information are passed through thin air, just waiting for an attacker to listen in and collect the frames for further illegitimate analysis.
Manipulation attacks build on the capability of eavesdropping by taking this unauthorized receipt of a data stream and changing its contents to suit a certain purpose of the attacker-perhaps spoofing an IP address, changing a MAC address to emulate another host, or some other type of modification.
If a computer running modern versions of Windows or even Linux detects a packet sent from a particular machine on the network, it will assume that the MAC address of that computer correctly corresponds with the IP address from which the sending computer is purportedly transmitting. All future transmissions to that computer will then take place using that efficiently but problematically learned IP address, which is stored in the computer's cache for future reference.
But what if an attacker creates illegitimate packets with a spoofed IP address that claims that IP belongs to his own computer's MAC address? Then, all transmissions from hosts that use the "shortcut" method of learning MAC/IP address combinations will be directed to the attacker's computer and not to the intended host, which allows the attacker's computer to eavesdrop on communications and possibly manipulate responses to deepen his attack. This is certainly a serious problem. An attacker can get packets and frames out of thin air by simply "poisoning" these local caches of MAC/IP combinations of any two hosts connected to the physical network on which any access point runs.
Using special software, a global positioning system (GPS) unit, and a notebook computer with wireless capabilities, an attacker can drive through any city or populated area, sampling the airwaves for wireless access points. The special war driving software keeps information about latitude, longitude, and configuration of the access points found along the driver's route. In fact, one can travel on an interstate system in the United States, or other similarly-traveled highway elsewhere, and find plenty of access points that are open with no security enabled. This is certainly something to keep in mind when deploying your WAPs.
Attacks against the Clear Channel Assessment (CCA) procedure
A flaw in the direct-sequence spread spectrum (DSSS) modulation scheme that 802.11b equipment uses, and in close cooperation with several manufacturers were unable to find a resolution to the problem. The only real solution to the problem is to switch to 802.11a devices, which use a different method of modulation.
A denial of service attack can be launched by a malicious user by working against the Clear Channel Assessment (CCA) procedure in the DSSS protocol, exploiting it at the physical layer. By doing so, all devices within range of the affected access point stop transmitting data for the duration of the attack. Since the CCA procedure is used to discern whether a channel within the wireless spectrum is busy, attacks against the CCA result in a sort of constant "busy" signal that prevents any use of the wireless network while the attack is proceeding.
An administrator can guard against the attack using any number of radio frequency spectrum management tools, which sample the airwaves and determine the channel which is being jammed. Administrators could then dynamically reassign the channel used by their access equipment and restore service to the wireless network. However, the best recommended workaround is to begin employing tri-mode wireless equipment that operates with the 802.11a, 802.11b, and 802.11g protocols.
Wireless Vulnerabilities and Exploits (WVE)
a Secure Wireless Network for a Windows Environment
Common Vulnerabilities and Exploits (CVE)
Vulnerabilties and exploit information relating to these
products can be found here:
cross-site scripting (XSS) vulnerabilities in Cisco Secure Access Control Server
Mobility Controllers and Alcatel-Lucent OmniAccess Wireless do not properly
implement authentication and privilege assignment for the guest account
buffer overflow in the management interfaces in Aruba Mobility Controllers and
Alcatel-Lucent OmniAccess Wireless
802.11 Wireless Mini-PCI driver allows remote attackers to cause a denial of
To receive your Wireless Penetration Test , please submit your payment of $499.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.