The "Rig"
By now, a penetration testing kit should be properly assembled and tested on your lab WLAN to avoid any unpleasant surprises (unresolved symbols when inserting the modules, card service version incompatibility, unreliable pigtails, etc.) in accordance with the almighty Murphy's Law.
If you are serious about your business, your kit is likely to include the following components:
A laptop with a double PCMCIA card slot and Linux/BSD (or both) properly configured and running. Several PCMCIA client cards with external antenna connectors and different chipsets: Cisco Aironet for efficient wireless traffic discovery and easy-to-perform multichannel traffic logging and analysis Prism for WEP cracking, including traffic injection cracking acceleration; DoS via FakeAP, Wnet, or AirJack; Layer 1 man-in-the-middle attacks with HostAP and a second Prism chipset card (!); Layer 2 man-in-the-middle attacks with AirJack and Hermes chipset card; or Layer 2 man-in-the-middle attacks using Wnet, HostAP mode, and a second Prism chipset card on the OpenBSD platform Hermes/Orinoco for WEP cracking excluding traffic injection cracking acceleration and Layer 2 man-in-the-middle attacks using AirJack and a Prism chipset card Atheros chipset card for 802.11a security auditing
At least two external antennas (an omnidirectional and high-gain directional) with all appropriate connectors and possibly a mounting tripod. Specific wireless security tools of your choice set and ready. You must be able to perform the following: Network discovery and traffic logging in the RFMON mode Wireless traffic decoding and analysis WEP cracking and 802.1x brute-forcing (where applicable) Custom Layer 2 frame generation and traffic injection Setting at least one of your cards to act as a rogue access point
Non-wireless-specific attack tools set and ready. We cover this aspect in Chapter 9.
Optional toolkit components might include the following:
A GPS receiver plugged into your laptop's serial port A PDA loaded with Kismet or Wellenreiter and some signal strength monitoring utility More antennas, including semidirectionals Spare batteries Amplifier(s) A rogue wireless backchannel device if you plan to test wireless and physical security. The best example of such a device is a preconfigured small 802.11 USB client that can be quickly and covertly planted on the back of one of the company servers or workstations. Maps of the area (electronic or paper) Binoculars (to spot antennas on roofs, etc.) Transportation means (feet, car, bike, boat, plane, zeppelin, or hot air balloon)
Before doing anything, test that you can capture and decode traffic, crack WEP, and transmit frames (sniff them out) in the testing lab network conditions. Pay special attention to the antenna connectors and their resilience to moving the equipment around. When you are sure that everything works as intended and will work as intended in the field, you can proceed to the next phase. This phase does not involve driving, walking, sailing, or flying around the tested site with protruding antennas. It involves thinking and "Googling."
|
