A Case Study on Hacks of Wireless Networks
Joshua Wright, a senior computer security consultant hired to try to hack a client’s wireless network, shared this story about wireless penetration testing and how the little things always seem to get you. Keeping an eye out for these little things could save your business.
Mr. Wright was onsite for a wireless penetration test for a customer who needed validation on his network design and implementation. The customer had carefully designed the network to provide access to three groups of users: employees, legacy handheld wireless scanners, and guests. Employees were granted access to internal systems and applications but were required to first authenticate to the wireless network using two-factor devices.
The legacy handheld wireless scanners were only allowed to access a limited number of needed resources using WPA with pre-shared key authentication. The guest users were restricted to Internet access only over an open wireless network. Mr. Wright’s job was to break in to the network and to demonstrate the weaknesses to the customer.
The employee and legacy wireless networks were both using AES-CCMP encryption, so there was little chance of getting in that way. Mr. Wright attempted to compromise the pre-shared key used on the legacy network but was unsuccessful after exhausting a dictionary list of common passwords.
The employee wireless clients were configured to reject networks without the proper SSID and authentication settings, defeating his attempts to impersonate a legitimate AP. A traceroute on the guest network revealed that it was physically separate from the company WAN.
Mr. Wright was starting to run out of options when he remembered the teaching of spiritual guru Ram Dass who once said, "The quieter you become the more you can hear." Instead of aggressively attempting to exploit the network, Mr. Wright started watching network activity on the guest network with tcpdump, thinking that perhaps he'd find an employee system that was misconfigured and on the wrong network.
After starting tcpdump, Mr. Wright started seeing broadcast and multicast traffic from source IP addresses that didn't belong in the DHCP pool for the guest network. The sources Mr. Wright was seeing were not from guest systems at all, but rather belonged to devices on the employee and legacy device networks.
While still connected to the guest network, Mr. Wright manually configured his adapter with an unused IP address from the employee network, which granted him unrestricted access to internal systems, including an unpatched Windows 2003 server that was vulnerable to the RPC DCOM interface overflow exploit.
Later discussion with the customer revealed that the company WAN connection was deemed too slow for downloading large patch updates, so administrators would temporarily connect internal systems to the guest network to download the patches and disconnect.
One forgotten system was configured to bridge multiple interfaces, granting access to the internal networks from the guest network. By simply listening to what the network was trying to tell him, Mr. Wright was able to bypass the well-planned intentions for security.
Joshua Wright is a senior security analyst for InGuardians, Inc., a computer security consulting services organization, and a senior instructor for the SANS Institute. Joshua specializes in attacking wireless systems, and he has published books, papers, and countless tools on his website, www.willhackforsushi.com. When he’s not hacking wireless networks, Joshua seeks any opportunity to void the warranty on electronic devices.