Security Laboratory

Security Laboratory

Security Laboratory: Wireless Security

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Other Related Articles in Security Laboratory: Wireless Security


An Interview with Joshua Wright


By Stephen Northcutt
Josh Wright is a well respected security researcher, especially in the wireless arena, and he is the author of SANS wireless security course SEC 617. We certainly appreciate his taking the time to share his thoughts with the SecurityLab.


Josh, I see that you have your "hack for sushi" web site up, www.willhackforsushi.com. Can you tell me a bit about the picture, what is the story behind it?

My fatal character flaw is that I have no financial management skills whatsoever. While I never had a formal consulting practice, I would engage in fairly large consulting projects as an outsourced contractor or directly with a customer, finish the work to the customer's satisfaction, and then never send a bill! For me, by the time the work was done I became disinterested in the task and moved on to other projects. My friends would often joke about this habit, where my only form of payment for the work I had done would end up being one or two sushi meals. I was often told I would end up penniless, hacking for sushi.

Fortunately, my beautiful and talented wife is also an accountant, so she takes care of all financial matters now.


Nice, one of the great things about marriage is the complementary strengths our spouse can provide. I assume from the quote on the right that you have written some wireless exploits, can you tell us about your three favorites and where to get them?

I wrote a bunch of tools and continue to do so; however, my favorite tools aren't specifically exploits, but rather tools that can be multipurposed for many tasks. While they can be used for exploiting systems, they can also be used for researching security techniques, validating wireless implementations, and learning about wireless security threats.

  • LORCON stands for Loss Of Radio CONnectivity, and it is a developer's framework for spoofing legitimate and illegitimate frames into a wireless network. LORCON has been used in popular hacking tools such as Metasploit but also in the support of wireless fingerprinting research projects at Sandia National Laboratories.
  • File2air is a command line tool to take any packet and transmit it as a wireless frame. It uses the LORCON API so it runs on Windows and Linux platforms. File2air is used to generate numerous attacks against wireless networks in creative ways, and also to implement fault-injection (fuzzing) test cases. The very smart folks at the Dartmouth College Measurement, Analysis and Protection of Wireless Networks (MAP) project use File2air to analyze several wireless attacks.
  • Asleap A classic tool is the offline dictionary attack against Cisco LEAP networks. Asleap can audit any MS-CHAPv2 exchange, including PPTP VPN network authentication, and any manual assessments where the MS-CHAPv2 challenge and response is known.

All tools are available on my website at www.willhackforsushi.com


I keep hearing people say that that applications is the hot area, that hackers are attacking our applications, but it is not clear to me that the networks have really been secured. Is that still an issue, are networks still vulnerable?

In my experience, many organizations still fail to take adequate security measures to protect their networks. Wireless is an enabler for an attacker, making it much easier to exploit the weak points in the network. We've recently seen the press reporting massive data theft from the TJX Company, reportedly over weak wireless networks, and, even more recently, attacks against Citigroup and the Pentagon Federal Credit Union, also over wireless.

From an accessibility perspective, there is a huge risk to organizations and application vulnerabilities. As an attacker, application weaknesses are how I'll escalate my privileges on a system. Combined with wireless access, attackers can often gain unmonitored, anonymous access to internal networks from which to exploit application vulnerabilities.


When I go to conferences, I tend to disable my wireless and use my cell phone card, is that really safer?

Cellular data network communication is safer, if only through obscurity. In the US, it is illegal to monitor cellular frequencies, prohibiting researchers from investigating vulnerabilities in these protocols. Outside the US, the German hacker group The Hackers Choice (thc.org) has successfully implemented a GSM sniffer and developed a tool to compromise encrypted voice communications. I believe the sanctity of cellular data networks is short-lived as more researchers turn their attention to this attractive target.


If I did not disable my wireless card on my laptop in public places, what could happen to me other than eavesdropping? I realize that people can capture and read my unencrypted communications, but what other risks are there?

Network manipulation is a clever attack, potentially subverting encrypted SSL/TLS traffic. For example, if you browse to your online banking application that initially uses HTTP but switches to HTTPS to protect your authentication credentials, an attacker can dynamically subvert the content such that your credentials are sent to the attacker unencrypted before they are sent to the legitimate banking site.


Impersonation attacks also become possible on an unencrypted WLAN where an attacker can observe you logging into a webmail account, such as Yahoo! Mail or GMail, and access all of your mail until you logout.


I bought the AirPcap product and I really like it, but when I sniff my home network it says the majority of the packets are malformed. Any words of wisdom on that?

The AirPcap product from the great guys at CACE Technologies is a powerful tool granting Windows users new visibility into wireless networks. The AirPcap control panel allows users to capture packets that have a valid Frame Check Sequence (FCS) as well as an invalid FCS. For most users this feature should be turned off so that only valid frames are captured. However, if you are seeing more then 6-10% packets with an invalid FCS, you may have a non-802.11 interference issue. Inexpensive spectrum analysis tools, such as the WiSpy tool made by Metageek, are useful for identifying interference issues.


I just got an apple iPhone, are there any security risks to using it that I should be aware of?

We've seen some attacks against the 802.11 and Bluetooth stacks on the iPhone, but nothing that has been distributed publicly yet. As we add more and more functionality into embedded devices like the iPhone, the complexity of the device grows tremendously while still trying to minimize overhead and memory utilization. Historically, this results in security flaws, especially when there is tremendous pressure on developers for time-to-market delivery.


Where do you see wireless going in the next few years? Is this just a phase and we will be doing something else or will it continue to grow?

With the IEEE 802.11n high-throughput changes to wireless LANs, I expect more organizations to adopt "pure-wireless" deployments, replacing wired LAN environments for mobility and cost savings. Organizations are turning to WPA/WPA2 security to protect their wireless networks, which is great, but at the same time attackers are exploiting weaknesses that are not adequately addresses with WPA2.

I expect WiMax to continue to grow in popularity as a backhaul (last mile and mesh) technology, despite significant security weaknesses in the protocol. The initial adoption by consumers will likely be in customer-premise deployments as opposed to an integrated mobile technology, simply due to massive infrastructure deployment costs.

Wireless technology is appealing to users, businesses, and service providers alike. I think we'll see only growth in this marketplace for the foreseeable future.


As wireless becomes even more widespread, wouldn't the risks increase? What should an organization do to protect itself, especially the mobile workers with laptops and handheld PDAs?

A big part of the problem with wireless security is the lack of qualified professionals who have a strong understanding of the technology and threats behind wireless technology. Moreover, the really valuable engineers are those who understand the wireless threats and problems of today and apply them to future wireless technology as well. This is something I strive to show my students with my wireless security course; the skills they learn are not only applicable to the technology and examples of today but also to technology they will undoubtedly uncover in the future.

For enterprise deployments, organizations must take advantage of WPA2 technology for strong encryption and authentication with regular (or real-time) auditing of their wireless networks. We are missing strong solutions for assessing wireless driver vulnerabilities, although I hope to get the ball rolling with a Windows assessment tool my employer allows me to distribute for free (http://labs.arubanetworks.com/wifidenum/).

Mobile users should have their workstations configured with extra security precautions, such as wireless-aware personal firewalls or host-based intrusion prevention software. Leveraging authenticated data tunneling points, such as VPN, is also helpful to mitigate attacks originating from a local attacker.


Thanks a bunch Josh, where can I go to learn more? Obviously your website, www.willhackforsushi.com is a source of information, what else?

I am starting a series in the SecurityLab and, of course, we go into a lot more detail in my class, Assessing and Securing Wireless Networks. As you see, the course number, 617, is a 600 series which means the material is pretty advanced. SANS OnDemand has an Assessments Only option you can add to the course to make sure you are mastering the material. This can be really valuable if you are considering the GIAC Wireless Certification.