Jan 24 2011

Penetration Testing Goes Mobile

As agencies succeed in locking down their infrastructures, penetration tests of roaming users and wireless networks will help secure the endpoints.

The proliferation of wireless networks has added convenience and flexibility for many agencies, but these same technologies also expose government information to new security risks.

The proliferation of wireless networks has added convenience and flexibility for many agencies, but these same technologies also expose government information to new security risks.

One way to understand and mitigate these risks is through wireless penetration assessments performed either by qualified agency workers or a trusted third party. Like anything else in the information security realm, wireless penetration assessments have evolved rapidly.

Gone are the days when a penetration tester could simply look for rogue access points using 802.11b and g and focus on attacking the infrastructure. In that scenario, successful penetration tests often came from attacking access points and cracking the WEP (Wired Equivalent Privacy) key used to secure the network.

Although it is still not uncommon to find WEP in use, it is well known to be insecure and fairly easy to crack. It is far more common to see 802.11 networks implemented using enterprise authentication such as PEAP (Protected Extensible Authentication Protocol).

Successful penetration tests now require attacking client systems, mobile devices and other wireless technologies. In addition, the growth of new technologies such as ZigBee (often used in building automation), Bluetooth and DECT (Digital Enhanced Cordless Telecommunications — used in wireless phone networks) present more attack vectors.

Software-defined radios such as USRP (Universal Software Radio Peripheral), for which schematics are freely available for download, have made it easier and cheaper for attackers to target these wireless technologies. One of the most alarming trends is the proliferation of free, easily available tools that allow “point and click” attacks. This means novice attackers are able to perform attacks that a few years ago would have required a great deal of skill and time.

New Attacks Require New Defenses

With the focus on attacking wireless clients rather than infrastructure, there must be more attention placed on client security. The overall security of PEAP networks largely depends upon the security of client configuration. It’s essential that all wireless clients be properly configured.

Using Group Policies, it is fairly simple to ensure that Microsoft Windows devices are configured to validate the identity of the RADIUS (Remote Authentication Dial-In User Service) server to which they are connecting by validating the TLS (Transport Layer Security) certificate. If the clients are not configured correctly, an attacker can set up a fake wireless access point and a rogue RADIUS server in an attempt to trick users into logging into the fake network. When users attempt to log into the fake network, the attacker can capture the credentials, crack them offline and use them to access the network.

One of the reasons this attack is so effective is that most clients will automatically attempt to connect to a network with the same name as one it has connected to previously, meaning attackers can name their fake networks with common names or known agency network names. There are many freely available programs, such as airbase-ng, Karma and Jasager, that automate this task by searching for wireless clients probing for a network and automatically create a network with the same name the client is looking for. Many times, the user is unaware that their device has joined a network.

There are many more tools available to automate client-side attacks, meaning that novice attackers can pose a significant threat. One of these tools is Karmetasploit, which comes into play once a client connects to a fake access point. This tool directs all traffic to an instance of a free tool called Metasploit (a framework that allows for development of exploit code), which in turn directs all network traffic to malicious HTTP, e-mail and other services that exploit code and attempt to ultimately take over the system — and then the network.

It is important to remember that an attacker only needs to find one incorrectly configured client to gain a foothold into the agency network. It is far more difficult to secure mobile devices. Even when mobile devices support secure authentication, there is often no way to centrally manage the security settings for these devices.

Attacking and Protecting Mobile Devices

There are many tools available to harden and secure notebooks, including Group Policy Objects, startup scripts, antivirus software and host intrusion detection systems.

Fortunately for the penetration tester, these protections are not usually available on mobile devices such as smartphones. Because of this, if testers have trouble getting into a network using traditional methods, they will find a user with a mobile device and target that device. Often these devices are not configured to correctly validate the RADIUS server, which means these devices can serve as a launchpad for getting into a targeted network.

Illustration: Elizabeth Hinshaw
"Keep in mind that most, if not all, protections deployed on the agency network, including an intrusion detection system, wireless IDS and intrusion prevention system, offer no protection to mobile devices used on public networks." — Matt Neely and Alex Hamerstone

Taking the Show on the Road

Keep in mind that most, if not all, protections deployed on the agency network, including an intrusion detection system, wireless IDS and intrusion prevention system, offer no protection to mobile devices used on public networks. As the workforce becomes more connected, multiple opportunities are created for new attacks.

To break into mobile devices attached to the organization network, we will often go to a nearby restaurant or coffee shop around lunch. Although few employees bring their notebooks to lunch, most bring their mobile devices everywhere they go. There are several ways that testers can attack these devices and gain access to a network. One is to set up a fake network and trick mobile users into connecting. Another is to sniff and intercept traffic as it travels across an open, unencrypted network at a coffee shop or hotel. Freely available point-and-click tools such as Firesheep allow novice attackers to steal authentication cookies sent over a wireless network and hijack browsing sessions to web mail and social networking sites.

Rogue Access Point Detection

Attackers commonly exploit any new technology and take advantage of the lag in awareness of new methods. Greenfield mode breaks backward compatibility in 802.11n networks to allow for faster speeds, but cannot be seen by most 802.11a, b and g cards. As such, it is essential that wireless penetration testers specifically look for networks using 802.11n greenfield mode, or they may miss rogue access points.

Expensive hardware upgrades are often required in wireless IDS deployments to ensure sensors can detect 802.11n in greenfield mode. Be sure that contracts for penetration testing include detection of greenfield mode networks.

The Future of Wireless Penetration Assessments

The scope of the typical wireless penetration assessment is expanding rapidly as wireless technologies mature and become more ubiquitous. Attackers are always looking for new methods to exploit systems. And just as the hardening of the infrastructure has led to an increased focus on client vulnerabilities, hardening of clients will force attackers to focus on new wireless technologies, such as ZigBee and DECT. There are many known exploits for Bluetooth, and although these have not received much attention, they often present viable avenues for network attacks.

Agencies must remain vigilant and stay informed of new attacks, and, as with all security, user education and awareness will also continue to be crucial, effective tools for protecting systems, networks and information.