An Attack Sequence Walk-Through
To summarize our observations, a well thought out professional attack against a wireless network is likely to flow in the following sequence:
Enumerating the network and its coverage area via the information available online and from personal contact and social engineering resources. Never underestimate the power of Google and remember that humans are and always will be the weakest link.
Planning the site survey methodology and attacks necessary to launch against the tested network.
Assembling, setting, configuring, and checking all the hardware devices and software tools necessary to carry out the procedures planned in the step 2.
Surveying the network site and determining the network boundaries and signal strength along the network perimeter. At this stage use the omnidirectional antennas first, then semidirectionals, then high-gain directional grids or dishes. Establish the best sites for stationary attacks against the target network. Considerations when finding such sites include the LoS, signal strength and SNR, physical stealth factors (site visibility, reachability by security guards and CCTV), comfort for the attacker in terms of laptop and antenna placement, and site physical security (watch out for rough areas; laptops are expensive!).
Analyzing the network traffic available. Is the traffic encrypted? How high is the network load? Which management or control frames are present and how much information can we gather from them? Are there obvious problems with the network (high level of noise, channel overlapping, other forms of interference, lost client hosts sending probe requests)?
Trying to overcome the discovered safeguards. This might involve bypassing MAC and protocol filtering, determining close ESSIDs, cracking WEP, and defeating higher layer defensive countermeasures, such as the wireless gateway traffic filtering, RADIUS-based user authentication, and VPNs.
Associating to the wireless network and discovering the gateway to the Internet or border router, possible wireless and wired IDS sensors, centralized logging host(s), and all other detectable hosts on both wired and WLANs.
Passively enumerating these hosts and analyzing security of protocols present on the wireless and connected wired LANs.
Actively enumerating interesting hosts found and launching attacks against them aimed at gaining root, administrator, enable, and other privileges.
Connecting to the Internet or peer networks via the discovered gateway and testing the ability to download and upload files from the Internet or peer network to the wireless attacker's host.
Give this scheme a try, and you might find that your wireless penetration testing efficiency has improved dramatically, even though you did not introduce any additional tools apart from the ones you are using already.
To conclude this chapter, we recommend you review a pared-down version of the wireless network security and stability audit template used by Arhont's wireless network security and troubleshooting team as a part of a casual wireless audit practice. The template opens Appendix G; simply browse to its section on wireless penetration testing and check out the general wireless networking considerations and site survey procedures on the way. It should give you an idea about a proper wireless security audit plan that you can further improve and incorporate into your everyday work environment. Some points on the template that might not be clear for you right now are going to be explained later in the book. Of course, you might have developed a similar plan already. We are open to all propositions and additions to the template.