As wireless network attacks increase, wireless LAN (WLAN) security becomes an exhausting proposition for most enterprises. Users and guests demand easy access, but corporate resources need to be protected from this high-profile attack vector. An enterprise could break the bank trying to maintain compliance and minimize risk -- even as it needs to know it's protected from malicious foes. The good news is that there are lots of excellent,...
well-documented open source (i.e., free) tools available to test and monitor your wireless network. And they don't require a tin-foil hat.
First, identify the system you want to use. This can be a virtual machine image running on your existing laptop or a full-blown "bag of tricks" consisting of hardware dedicated for monitoring and testing purposes. When I first started troubleshooting wireless, I used the former, but soon found limitations from not having a system set aside for this purpose. If you decide to go with a dedicated system, you won't need the most robust hardware, but it helps to have enough extra space for storing captures. In my case, I use a five-year-old laptop for this purpose.
Second, determine the right combination of operating system and Wi-Fi card that you can put in monitor, or RFMON, mode to capture traffic. RFMON is similar to promiscuous mode for Ethernet, except on a wireless network it allows you to grab everything -- including the management frames -- without actually being associated to a service set identifier (SSID) or access point (AP). This is a critical component and if you've ever sniffed on a wireless interface with Wireshark without being in monitor mode, you'll see the obvious difference. Notice that you get WLAN frames "translated" as Ethernet, which means you'll miss some of the important traffic. You also won't be able to perform packet injection, which is necessary for quickly cracking wired equivalent privacy (WEP) or conducting a distributed denial of service (DDoS) such as a de-authentication attack.
Unix-based systems: More wireless security options, more tools
Achieving monitor mode is less painful on a Unix-based operating system mostly because of the number of drivers available for a wide variety of chipsets supported by some of the most popular open source wireless software tools. You can pick your favorite flavor of Linux to use, then compile or add the packages; or, the easier option is to use Backtrack or Kali Linux. Marketed by Offensive Security, these distributions are customized versions of Ubuntu or Debian, containing the most popular and useful security tools for penetration testing and digital forensics.
As for the Wi-Fi adapter, if you're using Linux , save yourself the heartache and get the most popular "go-to" for wireless security pros, an Alfa, based on the RTL8187L Ralink chipset. At first sight, it seems a bit unwieldy, maybe a little old-fashioned with its USB cable attachment, but with a high-gain antenna and the suction cup attachment, war-walking with an Alfa isn't too unpleasant. There are certainly other options out there in more convenient form factors, but at an average price of $25, you can't go wrong. I personally buy them in bulk and give them out as holiday gifts to co-workers. Everyone should own an Alfa. But if you'd like to investigate other choices, the friendly developers at Aircrack-NG have helpfully posted one of the best compatibility lists around.
Another benefit to using an external adapter? It's easier to use with a virtual machine image. This means that I can use it with Kali Linux running on my Macbook Air in a pinch.
Now for the fun part. Most security professionals will say that the best way to test the security of your wireless network is to try to compromise it. This is why pentests are recommended as a best practice in building and maintaining good network security. But please be cautious. As with any tool, if it is used improperly, there's always the chance that your production network can be affected, and not in a good way. There are also privacy issues related to sniffing traffic. Make sure your management is aware of your actions and fully approves. I recommend a testing sandbox when starting out and that doesn't mean your local coffee shop. With an extra Alfa card, which can be run in soft AP mode, you can easily create a test environment at home.
Cracking, analyzing your wireless network infrastructure
Once you start up Backtrack or Kali, you'll find a plethora of wireless security options and applications available and ready to go. Some of them may seem intimidating to use at first, because of the command-line interface, but Kismet and Aircrack-NG are two of the most popular, with lots of documentation available at the project websites.
Aircrack-NG is a suite focused primarily on "cracking" and analyzing WEP and WPA/WPA2PSK-encrypted wireless networks. With the inclusion of tools such as Airbase-ng, it's also possible to simulate attacks against clients, making it quite useful in auditing the security and wireless intrusion detection/penetration (WIDS/WIPS) functionality of any 802.11 network.
Kismet, meanwhile, a packet sniffer and IDS, is completely passive. It captures traffic that can be viewed by most common packet analyzers such as Wireshark or Tcpdump and is helpful in rogue detection. Running on inexpensive or repurposed equipment, Kismet can be one of the best, least-expensive options for installing a WIDS in your enterprise.
Still have questions? You can find numerous instructional videos online at Securitytube.net or Hak5.org, which make these applications accessible for anyone. Security nerds like to share (or show off) what they've learned with the community, and it's a great way for a n00b to develop wireless security knowledge. But if you're still daunted by Linux and navigating a command line, there's a version of Aircrack-NG for Windows that could get you started.
If you're truly adventurous, use an Android tablet or phone running in USB host-mode with a connector that will power an external USB Wi-Fi adapter. I use an old Samsung Galaxy. It works very well and is much more portable than carrying around a laptop.
These are just a few of the tools you can use to improve the security of your wireless network without bankrupting your organization. They're also a great way to improve your knowledge and troubleshooting ability of 802.11 WLAN protocols.