Securing wireless access points: WLAN vulnerabilities, SSID issues, WEP weakness
This portion of the Vines penetration testing tip on securing wireless access points describes WLAN vulnerabilities, SSID issues, and WEP weakness.
Wireless LANs are susceptible to the same protocol-based attacks that plague wired LAN, and also have their own set of unique vulnerabilities. Since wireless access points may proliferate in the organization, unsecured wireless access points can be a danger to organizations because they offer the attacker a route around the company's firewall and into the network.
The service set identifier (SSID) is an identification value programmed in the access point or group of access points to identify the local wireless subnet. This segmentation of the wireless network into multiple networks is a form of an authentication check. If a wireless station does not know the value of the SSID, access is denied to the associated access point. When a client computer is connected to the access point, the SSID acts as a simple password, providing a measure of security.
The wireless access point is configured to broadcast its SSID. When enabled, any client without a SSID is able to receive it and have access to the access point. Users are also able to configure their own client systems with the appropriate SSID because they are widely known and easily shared.
A problem caused by the fact that most access points broadcast the SSID in their signals is that several of these access points use default SSIDs provided by the manufacturers, and a list of those default SSIDs is available for download on the Internet. This means that it's very easy for a hacker to determine an access point's SSID and gain access to it via software tools.
Also, a non-secure access WLAN mode exists, which allows clients to connect to the access point using the configured SSID, a blank SSID, or an SSID configured as "any."
Wired Equivalent Privacy (WEP) is a component of the IEEE 802.11 wireless local area network WLAN standard. Its primary purpose is to provide for confidentiality of data on wireless networks at a level equivalent to that of wired LANs.
IEEE chose to employ encryption at the data link layer to prevent unauthorized eavesdropping on a network. This is accomplished by encrypting data with the RC4 encryption algorithm.
However, WEP is vulnerable because of relatively short IVs and keys that remain static. Most WEP products implement a 64-bit shared key, using 40 bits of this for the secret key and 24 bits for the initialization vector. The key is installed at the wired network AP and must be entered into each client as well.
WEP was not designed to withstand a directed cryptographic attack. WEP has well-known flaws in the encryption algorithms used to secure wireless transmissions. Two programs capable of exploiting the RC4 vulnerability, AirSnort, and WEPCrack, both run under Linux, and both require a relatively small amount of captured data.
Penetration testing -- Securing wireless access points
War walking and war driving
WLAN vulnerabilities, SSID issues, WEP weakness
WLAN DoS attacks, MAC address vulnerabilities
Wireless testing tools
WLAN security countermeasures
About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons.