Establishing Digital Trust: Don't Sacrifice Security for Convenience
All new Wi-Fi CERTIFIED products support WPA2 (AES-CCMP) security, but that's not enough to harden a WLAN against attack. Breaches can still be caused by policy, configuration, and coding mistakes, overly-friendly clients, or unauthorized APs. Continuous surveillance and periodic assessments are important to spot (and then patch!) these and other WLAN vulnerabilities.
You can't conduct a thorough assessment with just one tool, no matter how great the tool. A well-stocked pentest kit includes many tools – some simple, some sophisticated; some free, some not. Ultimately, the "best" toolkit depends on network size, risk tolerance, budget, and personal preference. Commercial tools can save time and effort, but they aren't for everyone. So here we list our favorite free (open source or beggar-ware) wireless security test tools.
10) Android WiFi Analyzer: The first step in any Wi-Fi assessment is to explore your surroundings for surprises on the 2.4 and 5 GHz bands. Free WLAN discovery tools exist for nearly every OS, from the infamous Win32 NetStumbler to Meraki's Java Cloud Stumbler. Our current fave is the Android WiFi Analyzer. With this handy tool, we can record SSIDs and APs, graph real-time channel usage and signal strength, and even locate selected APs – using nothing more than the smartphone in our pocket.
9) Heatmapper: Figuring out where APs are located so that you can identify their owner and threat level can be tedious. Ekahau's free Heatmapper (Win32) is a convenient way to map APs in a small area. Just import a floorplan (or use the default grid) and perform a slow walk-about, pausing to click on your location. After a few minutes (max 15), let Heatmapper plot RF footprints for every AP it heard--often with pretty good accuracy.
8) Kismet: Linux fans know that Kismet is a Wi-Fi Swiss Army knife--it discovers APs and clients, captures Wi-Fi packets from local NICa or remote drones, and can generate alerts for fingerprinted recon activities. Kismet is a versatile client/server tool that can be paired with any RFMON-capable adapter--even on OS X or Cygwin. Using Kismet, you can enumerate discovered APs and clients, helping you spot policy violations like misconfigured APs or misbehaving clients.
7) Wireshark: Sometimes, you have to drill into captured packets to investigate suspicious findings, such as unauthorized apps on your WLAN. When it comes to free WLAN analyzers, nothing beats the cross-platform Wireshark. With the right adapter, Wireshark enables live Wi-Fi analysis on nearly any OS--including Windows. Alternatively, Wireshark can analyze capture files long after you return to the office.
6) Nmap: An assessment should also include taking a hard look at WLAN infrastructure devices: APs, controllers, gateways, and switches that Wi-Fi intruders could try to compromise. Pentests must be performed while connected to every AP and SSID, scanning subnets and VLANs for leaks and probing devices for vulnerable services. Although this process might be different with Wi-Fi, tools don't have to be. We often use our favorite cross-platform TCP/IP scanner Nmap.
5) Nessus: Wireless infrastructure and clients must be hardened like any DMZ device. Many documented Wi-Fi exploits take advantage of poorly-designed Web admin interfaces and coding errors. Here again, general-purpose pentest tools like SARA, Metasploit, and Nessus can be helpful – for example, Nessus can spot many Web app, AP default password, and Wi-Fi driver vulnerabilities.
4) WiFiDEnum: Speaking of Wi-Fi drivers, just about every NIC vendor has made a mistake or two, like failing to parse 802.11 Information Elements correctly or crashing on too-long or missing SSIDs. Wi-Fi driver vulnerabilities are important to detect because drivers are not routinely patched and they run at a low level, where arbitrary code execution can have serious consequences. WiFiDEnum is an easy way to enumerate Wi-Fi drivers (and versions) on every Windows host in your network.
3) Aircrack-ng: Other common Wi-Fi client exposures include weak configurations (e.g., accepting Ad Hoc requests or probing for FreePublicWiFi) and authentication mistakes (e.g., failure to validate 802.1X server identity, easily-guessed pre-shared keys). Many free tools are readily available to "crack" WEP keys or WPA/WPA2-PSKs, including our favorite: Aircrack-ng. This suite of tools comes in handy for many tasks, including discovery, packet capture, forced deauthentication, and WEP/PSK analysis.
2) MDK3: An essential aspect of Wi-Fi vulnerability assessment is exercising your WLAN's policies and countermeasures, looking for blind spots, mistakes, and attacks that can overwhelm your APs, controllers, or IPS. In other words, attacking yourself to validate your defenses. There are many tools that can be used for this, but one of our favorites is MDK3, a command-line utility that can guess hidden SSIDs and MAC ACLs, look for clients vulnerable to authentication downgrade, initiate Wi-Fi Beacon, Deauth, and TKIP MIC DoS attacks, and generally wreak havoc.
1) Karmetasploit: Finally, Wi-Fi clients can be too friendly, connecting to any AP and using sensitive apps without requiring server authentication. Tools like Karma, AirPwn, and Wi-Fish Finder can find clients vulnerable to Wi-Fi based (Evil Twin) man-in-the-middle attacks and teach you about their consequences. Our favorite is Karmetasploit: Karma, running on the Metasploit Framework. If you're responsible for securing Wi-Fi clients and haven't seen this one in action, you really should check it out.
These and hundreds of other Wi-Fi security tools are readily available as Internet downloads. However, your ability to run them depends upon test platform, OS, and Wi-Fi adapter(s). A good way to get started is to download a LiveCD/DVD/USB Linux distro for Wi-Fi pentesting. Our recommendation: BackTrack4, which includes many of the above-mentioned free Wi-Fi security tools.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.