The Art of Vulnerability Assessments

The Art of Vulnerability Assessments

Postby AM_WirelessSecurity » Mon May 16, 2011 10:10 am

A vulnerability assessment is a systematic evaluation that uses penetration testing and observation to identify security weaknesses that could potentially be exploited, and the consequences of doing so (e.g., attacks that can be run successfully in a given network, the information they can obtain, and the systems they can compromise). These assessment results must then be reviewed to determine severity and steps that can effectively reduce or eliminate threats -- for example, update an AP, reconfigure a client, or add a new firewall rule.

To be truly effective, vulnerability assessments should be repeated regularly. For example, conduct an assessment before and after initial WLAN deployment to spot newly introduced vulnerabilities and verify that installed security measures are working as intended. Repeat the assessment after network upgrades or policy changes, and at regular intervals, to prevent vulnerabilities from creeping into your WLAN over time.

If you are responsible for conducting a WLAN vulnerability assessment, start by defining test objectives, methodologies, and expected outputs. Test results vary, depending upon available tools, the topology of the network being assessed, that network's security policy, etc. However, it is critical that the methods used, the tests to be run, and all results be documented to enable consistent assessment of the entire network and retesting to verify fixes.

Begin with a prototype assessment on a few WLAN resources, refining your test methods and outputs until you are comfortable applying them on a larger scale. Use prototype results to revisit your objectives -- are you exercising the security policies you intended to verify, or providing answers to the questions originally posed? This up-front "sanity check" can avoid wasting time on unnecessary tests or repetition to collect missing results.

Here are some techniques and tools that can be useful when conducting a WLAN vulnerability assessment:


The first step in any assessment is to identify all wireless devices near the site(s) under test. Authorized devices will be subjected to further assessment; the rest will be scrutinized to determine ownership, impact on WLAN operation, and potential threat. Discovery is part of the site survey conducted when planning a new WLAN, but the information needed for risk analysis is a subset of that required for network design. Here, we describe WLAN discovery for security purposes only.

A complete vulnerability assessment requires a portable WLAN Analyzer that can scan all RF frequencies (channels) used by 802.11 networks, export details about all wireless devices, and accurately plot those results on floor plans. Ideally, these tools should make it easy to find newly discovered devices.

For best results, work from a floor plan to methodically scan for devices at regular intervals, covering the entire site, inside and out, above and below. Scan all channels, in both radio bands used by 802.11, repeating the survey at least twice, at different times of day. Generate a list of observed 802.11 and other devices. For APs, record their ESSID, MAC address, VLAN tag, IP address, physical location (e.g., geographic coordinates), channel, SNR, and observed 802.11/802.1X settings. Here, it can be helpful to group virtual APs that appear to be supported by a single physical AP. Then generate a list of discovered Stations, noting whether they are associated to an Ad Hoc node, probing for multiple ESSIDs, and/or actively associated with specific AP(s). For non-802.11 devices detected during an assessment, use spectrum analysis to fingerprint device type.

Next, use the site's WLAN inventory (if one already exists) to isolate previously unknown devices. For efficiency, you may wish to list but otherwise ignore APs with weak SNR (distant neighbors) or transient unassociated Stations (guests). For the rest, use a "find" tool (or a WIPS with rogue mapping) to physically locate each device, attempting to identify equipment type and owner. Finding all stations may not be necessary or practical – guest devices tend to be transient. But continue device discovery until you have found all APs above a defined SNR and all significant RF interference sources.

Save scan results, using an assessment worksheet to consolidate what you have learned thus far. If possible, feed AP discovery results into a WLAN survey system to visualize their locations, overlapping coverage areas, and external RF leakage. These survey results provide the foundation for penetration testing, inventory update, and MAC Access Control Lists. For example, configuring your WLAN Analyzer with meaningful AP aliases and ESSID groups makes it easier to differentiate between authorized devices, known neighbors, and future rogues.


Intruders can use wireless, TCP/IP, and server attack tools to attempt to compromise your WLAN. You can “fight fire with fire” by using these same tools to attempt to penetrate your own devices and WLAN infrastructure. Aiming simulated attacks at your WLAN determines whether intruders could successfully exploit common vulnerabilities, and helps you understand immediate consequences (e.g., visible data, networks breached, systems crashed).

Network-borne attacks usually start by scanning nearby devices and TCP/UDP ports, using tools like Nmap or Nessus. Devices that appear to be active may then be "fingerprinted" to identify operating systems, server programs, accounts, and shares. A Common Vulnerabilities and Exposures (CVE) database is often consulted for flaws in the target's software and tools that can exploit them. During a WLAN assessment, you can aim these tools at your own wireless gateways/switches, APs, hosts, and other systems exposed to wireless, such as DHCP and DNS servers. Run penetration tests while associated to different APs to spot subnet, VLAN, and ESSID-specific vulnerabilities. If your WLAN uses VPN or portal authentication, runs pen-tests both before and after authentication.

Intruders can try to exploit active APs and open ports to connect to your network and services. To check for these vulnerabilities, probe management ports (Telnet, SSH, SNMP, TFTP) using default or common logins. Analyze captured WEP keys and WPA/WPA2-PSKs with a tool like Aircrack-NG or a cloud service like WPA Cracker. Record client-generated 802.1X/EAP user IDs and supported EAP types using a tool like EAPeak or WiFishFinder. During an assessment, use these tests to identify weak controls and credentials for every device/port and ESSID. To test off- hours, you may need to generate simulated WLAN traffic, using a tool like iperf.

Intruders may also aim 802.11, 802.1X, and TCP/IP DoS tools at WLAN infrastructure. An assessment should therefore exercise your WLAN’s DoS defenses, including configurable DoS thresholds on wireless gateways, switches, and firewalls, and Wireless Intrusion Prevention System DoS detection coverage. For example, go systematically from floor to floor, using tools like MDK3 to flood attack targets and find any WIPS sensor coverage holes. Use a framework like Metasploit to probe every AP model/version in your WLAN for product-specific DoS vulnerabilities by sending 802.11 and 802.1X exploit messages. Aim TCP, UDP, and ICMP floods at your WLAN gateway/firewall to find the rate at which failure (if any) occurs. Because DoS testing is disruptive -- and potentially destructive -- exercise caution about which tests you run, when, and where.

Finally, run your own Evil Twin AP and wireless driver exploits to assess how wireless stations react and evaluate the effectiveness of deployed countermeasures. For example, use Karmetasploit to launch KARMA man-in-the-middle attacks from an Evil Twin AP to identify any exposed application credentials that are easily intercepted during these attacks. If you use WIPS to auto-block rogue APs, verify that your Evil Twin is effectively quarantined, testing at least two simultaneous rogues, with and without corporate network connectivity. Simulate rogue scenarios that can be a bit harder to spot, like lower power APs, soft APs, and portable personal hotspot APs, including those tuned to channels not normally used by your WLAN.

Many of the tools mentioned here can be individually downloaded from websites or found in a bootable pen-test environment like BackTrack4. Use pen-test results to flesh out your assessment worksheet, highlighting any attacks that were easy and had major impact.


WLAN discovery and pen-tests find vulnerabilities, but do not indicate whether they have ever been exploited by actual attackers. Portable WLAN Analyzers can "spot check" wireless activity in one location -- in fact, running an analyzer next to your pen-test system can be helpful to eyeball simulated attacks. But for full-time monitoring of your entire WLAN, devices therein, and actual user traffic, use a Wireless Intrusion Prevention System (WIPS).

Like wired network IPS, a wireless IPS uses traffic analysis to watch for attack signatures, protocol errors, atypical behavior, and policy violations, generating alerts and defensive actions. But WIPS sensors listen to the air, in local and remote offices, decoding 802.11/802.1X protocols and analyzing all wireless activity within a given RF band. WIPS servers understand wireless attacks and can enforce wireless security policies -- for example, automatically deauthenticating rogue devices. Intrusion alerts and related evidence are recorded to a central database for future reference during routine compliance reporting or post-breach forensic analysis.

WIPS also can be extremely helpful during a WLAN vulnerability assessment. WIPS can help "fill in the blanks" during WLAN discovery, because a full-time monitor will inevitably hear more than ad hoc sampling by portable test tools. By combining observations made by several remote 802.11 and spectrum sensors, WIPS can triangulate a discovered device's location on a floor plan to make searches more efficient. By generating policy-based alerts, WIPS can help you spot mis-configured devices, actual attacks that may have occurred recently, problem-prone locations and devices that may warrant additional scrutiny, and on-going risky user behavior.

During pen-testing, WIPS can confirm that tests are working as expected. It can teach you how to recognize signs of attack and record information needed to investigate an incident or understand its impact, long after the attack ends. WIPS can even combine current and past observations to suggest how to mitigate threats. In return, pen-test results may help you fine-tune your WIPS. For example, results may lead you to adjust sensor placement, change scanned channels, augment 802.11 sensors with spectrum analysis, revise DoS alert thresholds, customize alert notifications, or extend WIPS data retention policies.


The broad insights delivered by WIPS can be complemented by drill-down investigation. WLAN and spectrum analyzers are instrumental during vulnerability assessment, from start to finish. Portable (laptop or handheld-based) analyzers provide a mobile platform for device discovery, traffic capture, and eye-balling wireless activity while pen-tests are in progress. After testing ends, remote (WIPS sensor or AP-based) analyzers can help you dig deeper to investigate potential vulnerabilities.

For example, when pen-testing a site, you might use a handheld analyzer to capture and decode 802.11 packets. By examining channel utilization, you might spot a channel experiencing considerable RF interference. By drilling down with a handheld spectrum analyzer, you could identify the non-802.11 culprit (e.g., microwave oven) and its location. While this might not at first seem like a security issue, RF interference (even when accidental) is one form of DoS attack. Inability to reliably detect and mitigate this attack could be a vulnerability that you wish to address.

Alternatively, if the poor air quality appears to be caused by 802.11 packet collisions, you might apply a filter to focus on suspicious traffic -- for example, all 802.11n packets. If the source is an unknown AP, you can try to associate with it and trace network connectivity. If the source is a hidden node, you can use a “finder” – an audio-visual real-time signal strength meter – to move towards the offending device. Wireless devices can be gone by the time assessment results are reviewed, so it is best to gather information during the test itself. But there will inevitably be situations where, during review, gathering further information could help. Remote analyzers fill that gap without traveling back to the test site. For example, you might instruct a WIPS sensor at the test site to record live transmissions, enabling drill-down spectrum analysis. At sites without dedicated WIPS sensors, you might place an AP into remote analyzer mode to see decode a suspicious station’s traffic in real-time.

Why stock your pen-test toolbox with portable and remote WLAN and spectrum analyzers? Portable analyzers excel at efficient on-site investigation, while remote analyzers enable cost-effective off-site investigation. WLAN analyzers let you peer into 802.11, while spectrum analyzers dig into non-802.11 transmissions. In WLANs that carry voice over IP, VoFi analyzers can assess call impact. The combination gives you the best of all worlds, bypassing the limitations of any single analyzer.

There you have it, good luck. :mrgreen:
Trial Account
Posts: 12
Joined: Fri Apr 29, 2011 9:35 am

Return to WLAN Security

Who is online

Users browsing this forum: No registered users and 1 guest




Whitepaper: WLAN Design and Site Survey
Site Survey Check List
802.11n Reference Guide
RF Basics
Planning for 802.11n
Voice-over-Wireless Best Practices
Home  |  Security Center  |  All Things Wi-Fi  |  Blog  |  Library  |  AirMagnet.com  |  FlukeNetworks.com
© 2006-2013 Fluke Corporation. All rights reserved.