Archive for the ‘Wireless Security’ Category

Super Tuesday Poll – 802.1X authentication

This was a question that I asked the audience during my presentation at today’s Information Systems Security Association (ISSA) meeting in Phoenix:

Related Posts:


And the winner is…

Andrew vonNagy!

If you haven’t been following along, I ran a contest over the past week for the best wireless pen testing tip or trick.

As promised, I will be pre-ordering a copy of “Wireless Hacking Exposed” for Andrew.

Here was Andrews submission for the contest:

To PenTest WPA2 secured wireless networks, setup a honeypot AP and a Free-RADIUS WPE (wifi pwnage edition by Josh Wright) to harvest EAP/MS-CHAP credential hashes from improperly secured client devices which are not validating the RADIUS server. Then use John the Ripper or similar password cracking tool to crack the user password using a dictionary attack.

If you want more of Andrew’s wisdom, you can also check out his blog, “Revolution Wi-Fi” – It has some quality content.

Related Posts:

Just a Reminder….

I am giving away a FREE copy of “Wireless Hacking Exposed”.  All you have to do is submit a comment to the post about the book stating your favorite wireless pen testing tip or trick.  Technical or non-technical.

I am going to choose the best comment at the close of business tomorrow (July 1st).  There are only two submissions right now, so if you enter with less than 24 hours left, I’d say that you have a decent chance of winning.  🙂

Here are even a few ideas to get you started:

  • What’s your favorite wireless card for pen testing?  Why?
  • What’s the best application / piece of software for wireless pen testing?  Why?
  • What a common myth about wireless security that you can dispel through pen testing?
  • Tell me about your favorite pen testing experience.  (Mine is below….)

Personally, my favorite part of wireless pen testing is social engineering.  For example, one time I was assigned to do a security assessment for an oil & gas company.  I targeted the IT department of the company, figuring the report would hit home if it contained *their* passwords, sensitive data, etc.

The IT department of this company was on the 5th and 6th floors of a multistory building.  Part of the social engineering I utilized was implemented when I checked into my hotel for the project.  You see, the hotel I checked into was in a building adjacent to my customer / target.  When I checked in, I specifically requested a room on the side of the building closest to “ABC Company”, that had a balcony, and was on either the 5th or 6th floor.  Do you think the hotel clerk hesitated one second before they fulfilled my request?  Of course not.

On top of that, when I checked into my room, I set up 2 different computers, each with multiple wireless cards, spectrum analyzers, and external antenna connected to them.  Even to the point where I had a tripod mounted -13.5 dB Yagi antenna with a laser pointer on the balcony pointed at my customer / target company.  The maids came in and out of my room, and if anyone ever said anything, it certainly wasn’t filtered back to me.

Could I still have done the pen test without this?  Yes.  But did having this location make it more convenient to collect packets, circumvent authentication & encryption, redirect/attack wireless clients, etc.?  Of course it did.

FREE Copy of “Wireless Hacking Exposed”

There has been a thread going on the WiFiSec mailing list at SecurityFocus the past couple days about Wi-Fi testing on a Mac.

My friend and colleague, Joshua Wright weighed in with his tremendous expertise with the following post:

Johnny Cache, Vinnie Liu and I are just putting the finishing touches on

Hacking Exposed Wireless, 2nd Edition. It’s available for pre-order on

Amazon, and should be shipping in the middle of July ( In this fully-revised book we present step-by-step help for implementing multiple attacks against 802.11, Bluetooth, ZigBee and DECT, with countermeasures for each attack.

Pertinent to this discussion is Johnny’s chapter “Bridging the Airgap on

OS X” where he illustrated an example of compromising a remote OS X box

and leveraging it to attack local wireless networks. In this discussion

he talks about the OS X “airport” utility.

The airport utility is located at


In 10.6 systems, you can use this tool to initiate a monitor-mode

packet capture saving to a libpcap file, as well as active scanning and

other interesting functions. During a packet capture with the airport

utility, the Airport icon on the task bar will turn into what we decided

is the “Eye of Sauron”.

While Windows Vista and 7 have native monitor-mode support in drivers,

there are no native tools, forcing us to rely on the NetMon package.

Fortunately with OS X, we have the native airport utility.

Some of Johnny’s scripts and tools from this chapter have been put

online at I’ll continue to post

materials there this week, as well as the free online chapters providing

in-depth analysis of 802.11, Bluetooth (including attacks against

Simple, Secure Pairing) and RF fundamentals.


I can tell you from taking Josh’s Wireless Ethical Hacking, Penetration Testing, and Defenses course through the SANS Institute, that he *definitely* knows his stuff, and therefore, this book is a must read.

I think this book is such a must read, that I am giving away a copy for FREE.  Leave a comment with your best Wi-Fi Pentesting Tip. I’ll choose the best one a week from today (July 1st) and I’ll pre-order this book on your behalf.

2010 GAWN Job Task Analysis Survey‏

WiFiJedi: The note below was emailed to me today.  This is a great vendor-neutral certification.  I filled out the survey.  If you think you fit the requirements, take a few minutes to fill out the survey yourself!

The GIAC Wireless Penetration Testing and Ethical Hacking (GAWN) JTA committee has recommended an updated set of certification objectives, and we are conducting a formal Job Task Analysis. We are seeking Wireless Security subject matter experts to vote on proposed changes and rate the relevance of each certification objective. If you have wireless security background and experience, especially if the experience involves penetration testing your input will be valuable in shaping this certification. Please note that if your background does not include experience with wireless security, we are unable to use your input for the survey at this time. Your name may be listed in the validation report if this certification is submitted for ANSI accreditation. This survey will take an estimated 15 minutes of your time and can be accessed at the link below. The survey will be available through 12:01 AM on 7/1.

Thank You.

Chris Carboni

GIAC Technical Director


Xirrus Introduces Advanced RF Security Manager (RSM) for 802.11n Networks

Intelligent Security at the Network Edge Minimizes Risk in Wi-Fi Networks

Thousand Oaks, CA – Xirrus, Inc., the only Wi-Fi “Power-Play” in the industry, announced today its advanced RF Security Manager (RSM) for improving security and minimizing the risk in deploying 802.11n wireless networks. Leveraging an integrated 24/7 threat sensor and hardware-based encryption/decryption in each Array, RSM secures the Wi-Fi network from multiple types of threats. The result delivers uncompromised overall network security with greater flexibility and performance compared to traditional centralized Wi-Fi networks.

Today’s Wi-Fi networks face a number of potential security threats in the form of rogue access points, ad-hoc clients, unauthorized clients, wireless-based attacks, eavesdropping, etc. As 802.11n continues its increased adoption in enterprise networks, the importance of defending against these threats is becoming more critical.

The Xirrus Wi-Fi Array enables the efficient deployment of high performance, maximum security 802.11n networks with a multi-radio design that integrates a dedicated 24/7 threat sensor. With this threat sensor radio scanning all channels in the 2.4GHz and 5GHz spectrums, RSM searches for security threats and automatically mitigates them. Traditional Wi-Fi solutions must time-slice a user servicing radio with the security scan function, compromising the performance of the wireless users and the effectiveness of the security scan.

High performance encryption/decryption in the enterprise Wi-Fi network is a MUST. The Wi-Fi network needs to support each client using the highest level of encryption (WPA2 Enterprise/128 bit AES) and without degrading the overall performance of the network. The Xirrus Wi-Fi Array incorporates hardware-based encryption/decryption into each Array, delivering line-rate encryption at the edge of the network instead of at a choke point within the centralized controller of traditional Wi-Fi solutions.

“RSM provides a simple, scalable security solution that enables any organization to proactively mitigate wireless threats, enforce enterprise policies, and prevent performance problems. It offers the visibility and control over the wireless airspace needed to enable an enterprise to reliably deliver the same standards of security performance and compliance for their wireless networks that they expect from their wired networks,” said Dirk Gates, founder and CEO of Xirrus.

The RSM (RF Security Manager) package includes:

• Wireless IDS/IPS

• Wireless stateful firewall

• Line-rate encryption/decryption

• Security alerts and logging

• User group policies

• Authenticated guest access gateway

• NAC integration

• PCI audit compliance enforcement

RSM is part of a family of functionality packages for the Xirrus Wi-Fi Array, which also includes the RF Performance Manager (RPM) and RF Analysis Manager (RAM). RSM is available now in the Xirrus ArrayOS 4.0.6 software release.

Sign up for your free site survey by visiting us at or by calling 800-947-7871.

Personal Pre-Shared Keys (PPSKs) – Super Tuesday Poll

Related Posts:

Are you legally liable for running an open wireless network?

Earlier this week, I read an interesting blog post discussing the legal aspects of whether you should secure your home wireless network or leave it unencrypted.  The post was actually written by a good friend of mine, Aamir Lakhani, who blogs at and micro-blogs on Twitter @Assassin711.

I wrote a blog post about it over at Computerworld, including my opinion on running open wireless networks.

Read it.  Digg it.  Comment on it.

Or comment on it here… What do YOU think? Should people secure their home wireless networks? Why or why not?  Should people be concerned about their data ?

Personal PSKs (Wi-Fi Masterminds)

This is the second in a series of posts that I am dubbing “Wi-Fi Masterminds” (TM). I will ask questions to a series of panelists and they will answer in round-robin fashion, where they can answer the question as well as respond to others.

If you have ever seen the show “Around the Horn” on ESPN, that is the type of interaction I am looking for.

I am planning on a pool of 6-8 masterminds, bit will limit each question to a panel of three members. I will try to minimize my own involvement in the questions to only provide structure where needed or correct any factual errors.

Here are today’s panelists: 

keithKeith Parsons CWNE#3@keithparsons A gifted  presenter, Keith is known for his wit and broad technical expertise. He holds over 50 technical  certifications and has earned an MBA from the Marriott School of Management. He is author (or editor) of a  dozen technical publications and has developed seven technical certification programs. He travels  throughout North America, Europe, Africa, Asia and Australia in behalf of a wide variety of IT vendors,  explaining networking technology to industry professionals.

Bruce Bruce Hubbert : Bruce is a veteran of the security industry since 1993, currently functions as the Principal Systems Engineer for AirMagnet. Bruce is the primary pre-sales technical expert for this market leading and award winning wireless analysis and WLAN security systems manufacturer. Bruce has represented AirMagnet to the media and has been featured in the Washington Post, New York Times, Wireless Week, The IEEE, EE Times, Information Week, Techworld Japan (in English Here) and on Television on the History Channel’s “Tactical to Practical” and ABC News “Business Now”. You can read Bruce’s wireless blog, “Freakquency” at

Ken Ken Hall, CWSP, RFID+As a Senior Technology Solutions Consultant with over 20 years in IT, Ken has designed and/or deployed approximately 100 wireless networks; including the design and initial deployment of the Air Force’s 2nd Generation Wireless LAN. His background includes security, routing, and switching with a smattering of everything else in between. Ken enjoys consulting due to the constant change in architectures and the possibility of helping customers resolve complex networking issues.

Today, the panelists are tackling questions related to the use of Personal Pre-shared Keys (PPSK): 

Several WLAN companies have recently developed alternatives to 802.1X networks that include a per-user pre-shared key (PSK).  What role do you see this technology playing in the enterprise?  What are its advantages? What are the disadvantages? 

Keith:  Traditionally, we have had in the WiFi industry three common ways to access a WiFi network.

1 – Open Authentication

  •             Great for Hotspots
  •             Easy to setup and use
  •             Hand-held devices and VoIP handsets easy to configure
  •             All traffic sent in the clear
  •             No control or QoS
  •             No-cost

2 – Pre-Shared Key (SoHo)

  •             Single authentication key for SSID
  •             Everyone shares the same key
  •             Encryption keys are based from this key
  •             Traffic sent encrypted
  •             Easy to implement
  •             No-cost

3 – 802.1X or 802.11i with a Radius Server

  •             Authenticates Users with a variety of methods
  •             Each user gets unique encryption keys
  •             Hard to setup and configure
  •             May be more costly depending…

But now a couple of vendors are entering the fray with an additional access method. One that has the ease of use of Pre-Shared Keys, but with the per-individual ability of 802.1X!

These PPSK systems offer an alternative to an 802.1X implementation. Guests can be given unique credentials that can be easily revoked, or based on time duration. This makes the management of WiFi encryption much much easier. Client devices also can be more easily configured and can roam quicker using the PSK method.

Depending on the size and security policies of your enterprise, this might be a great new service to speed and maintain security for your now-open WiFi network. I look forward to more vendors opting for this easy, simple solution.

Bruce:  I remember awhile back that T-Mobile allowed it’s subscribers to utilize 802.1x with EAP-TTLS and PAP via their hotspots ( and I used that method all the time. It was fast and secure. I wish more Hotspot providers would do that. It just used you standard login as a T-Mobile subscriber.

There is also the company, DeviceScape who has a method to pre-authenticate you to a hotspot without the nasty splash page, which is handy. Neither of these systems, however can assist you if you rolling out to an Enterprise or SOHO. There you are stuck with 802.1x and WPA/WPA2-PSK

I am not a big fan of Proprietary systems and I think most IT administrators agree. It can lead one down a long road to a possible dead end with a large amount of time and effort wasted. If you are Ruckus or Aerohive or Aruba and your system is a good one, then why not pony it up to the IEEE for consideration. I really do like the idea of per-user PSK’s, however, so I am hoping that these vendors do the right thing and present it as a new task group. Pre-Shared Keys, especially ones with a real world association (think “a real English word or phrase”) have serious issues. With only one key used to authenticate, the hacker need only crack it to get in. per user PSKs would theoretically allow you a much higher degree of control as you might be able to limit access to subnets on a per user basis.

I was at ShmooCon in Washington DC in 2006 when RenderMan release the Church of WiFi Rainbow Tables ( which made it quick and trivial to crack pre-shared keys for both WPA and WPA2. The solution? On his website, RenderMan puts it this way:

‘The fact that we found a way to speed up WPA-PSK cracking does not mean that it is broken. Far from it. The exploit used by coWPAtty and other similar tools is one of dumb passphrases. The minimum number of characters for a WPA-PSK passphrase is 8. The maximum is 63. Very few users actually use more than about 20 characters. As well, they also choose known words and phrases, likely to be in a dictionary. This allows us to leverage a human element in obtaining the key. 

To get decent protection from WPA-PSK, you should use a very long, very random, alphanumeric string longer than 20 characters. To protect yourself further, particularly against the WPA-PSK hashtables, you should use a SSID not on the top 1000 list. This will force the attacker to compute their own list, rather than use one of the CoWF tables.

All that said; you should be using WPA2 with a radius server to get more reliable protection.”

I think time will tell, through testing, debate and consensus building which method is best but I am resisting any method not adopted by the industry as a whole.

Ken:  Maybe I’m old-fashioned, but I typically keep my employee access limited to PEAPv0 (EAP-MSCHAPv2) and guest access to open authentication/no encryption or a captive portal/walled garden. While a per-user PSK may be beneficial in some solutions, I believe it will prove to be a niche-market. Most organizations want to decrease the amount of management required to implement a solution. With a typical, centrally-managed, overlay WLAN solution, once it’s initially configured, it doesn’t tend to need a great deal of extra management. All of the wireless users are already managed through other resources (i.e. AD, LDAP, etc.); and guest users are severely policy restricted and quite possibly on a physically separate network, so the typical recommendation would be for them to use a layer 3 method (i.e. VPN, etc.) for their encryption. The per-user PSK will increase the amount of “touch” required to manage those unique users/devices, but at the same time will provide a more secure previously unavailable method of authentication/encryption mechanism. So, yes, I believe it is a feasible technology and there is certainly a case for it…but, I also believe that it will see more application specific deployment than wide-spread adoption and use.

What do YOU think?  Are Personal PSKs a legitimate form of WLAN security or just marketing fluff?  Let our panelist know what you believe by submitting a comment! 

Related Posts:

Wireless Security – Super Tuesday Poll

Related Posts: