When a wireless security assessment is performed, its goals typically include 1) identifying anomalies in the security configuration of the target organization’s wireless infrastructure, and 2) detecting any unauthorized deployment of wireless APs or neighbouring APs masquerading as legitimate devices. For the assessment team, meeting the aforementioned goals can turn out be a challenge depending on the size, layout, and particularities of the target physical premises. For instance, given a strict timeline, how can one perform a more effective assessment of a 17-storied corporate headquarters?
Here are some practical tips we learned from our experiences:
Obtain floor plans. Having floor plans of your target location beforehand will allow you to plan your assessment, and reduce chances of you getting lost in a jungle of cubicles. Floor plans are also very important if you plan to use a graphical survey tool to map out the enumerated wireless networks (discussed later). Of course, detailed floor plans may not always be available, or the floor plans you are given may not be accurate. Make sure to identify and note any discrepancies between the floor plans and the space before you start capturing data.
Obtain list of known deployed assets. This information will allow you to verify wireless networks you have enumerated against known devices deployed by your client. This, in turn, helps in identifying anomalies that require further investigation.
Perform a first pass survey, analyze, then locate the anomalies. On a given floor, do a first pass survey to record data points of wireless characteristics using a tool such as Kismet over as much ground as possible. While it is a good idea to take note of anomalies (insecure encryption configuration, unconventional SSIDs, etc) while performing this first pass, it may be unwise to start hunting for things such as potential rogue access points right away, as you may lose track of the ground you have covered. Once the survey is complete, sit down and analyze the collected data. This analysis will give a much better picture of what to look for.
Approach a multi-storied building floor by floor. A typical challenge with multiple-storied buildings is locating on which floor a potential rogue access point or masquerading device is located. You find a spot where the signal is the strongest, but can’t locate it. Would it be on the floor above or below?
This is where a floor by floor process can help.
- Collect wireless data for each floor separately during the first pass survey. If you are using Kismet, exit the software and start a new instance when you are proceeding to the next floor – this allows you to have separate data files (e.g. .nettxt, .netxml) for each floor.
- During data analysis, for each floor, determine the strongest signal strength measured for each wireless network enumerated on that particular floor.
- If a suspected anomaly, such as a potential rogue wireless AP deployment, needs to be further investigated, you can focus on the floor on which the strongest signal has been measured for this anomaly.
Use a graphical survey solution, if possible. In addition to recording data points of wireless characteristics with standard software such as Kismet, graphical survey solutions, such as VisiWave or tools from the AirMagnet suite, can be leveraged, together with floor plans, to facilitate the assessment by mapping out the enumerated wireless networks.
A GPS receiver can be used in combination with such tools to add accurate location information to the wireless data points. However, in office building environments, issues such as the indoor nature of the premises and the precision of GPS measurements relative to room or floor size can present themselves as challenges to having a meaningful wireless signal map that can effectively guide the pinpointing of a given AP’s location. One alternative is for the assessment team to directly provide to the software relative location information vis-à-vis the floor plan as the survey is performed (e.g. “point and click upon turn” in VisiWave).
The resulting map of the enumerated wireless signals is a very valuable guide to identifying and pinpointing anomalies. In our experience, such a map has helped tremendously in locating rogue access points in obscure or unknown areas of the target building, a task that would have been very difficult and time-consuming if only Kismet or a similar tool was used. These maps are also very handy when it comes time to report your findings.
Know your adapter. It is essential to choose the correct wireless adapter for the task, whether it be a sophisticated spectrum analyzer or a low-cost USB WiFi adapter. In particular, if signal strength measurements are used to guide the pinpointing of given APs, you should know the sensitivity, amplitude range, the maximum signal strength that will be reported. For instance, in the past we have experimented with adapters whose Windows drivers did not report signal strengths higher than -45 dBm. This can be a problem as a large surface area will end up with the same signal strength measurement for a target AP, making it difficult to pinpoint its location. Also, antenna size is another factor to consider. For example, in a co-located downtown office building environment, using a bigger antenna than needed can potentially be detrimental, as the adapter would detect a lot of more neighbouring wireless networks, which add unnecessary noise to your data. We have found that a low-cost USB WiFi adapter can work well for an assessment, if you pick one with the right chipset. Adapters we have worked with include the Alfa AWUS036H (with the RTL8187 chipset) and anything with the Atheros AR9271 chipset, most notably the TP-LINK TL-WN722N and the Alfa AWUS036NHA. The latter two adapters have the capability of going into master or AP mode, which can be useful in mobile application security assessments.