Proper Attack Timing and Battery Power Preservation

Another very important part of planning a wireless penetration test is timing. First of all, an appropriate time should be established with the client company or organization so that disruptive testing (e.g., DoS attack resilience tests) does not interfere with client business operations. However, some forms of wireless security testing, including site surveying and WEP cracking, must be done at the peak of WLAN usage. Estimate when users are most likely to log in to the target network and when it is used the most. This will help not only in WEP cracking (remember, the more traffic the better), but also in post-decryption attacks, which involve user credentials and password collection. Such attacks are very important to demonstrate to management both the severe consequences of a wireless security breach and the necessity of using secure protocols on a WLAN in a manner similar to protecting an insecure WAN connection through a public or shared network.

An issue closely related to timing is battery power management and estimation. How much time do you need to perform what you've planned to do? Would you have enough battery power to accomplish it? WEP cracking is often a time-consuming process, and when traffic injection is used to accelerate WEP cracking and preserve time, additional battery power is spent transmitting the injected packets. Thus, in terms of real-world cracking, traffic injection can be a double-edged sword unless the cracker has a decent additional power source (e.g., car battery). As a penetration tester you would usually be able to plug your laptop into the corporate grid, but it might not have to be the case. An ultimate penetration test is doing what the crackers do, and no one would (or at least should) let a cracker plug his or her laptop into the company power socket (although a cracker might use a socket in a pub or restaurant across the street).

Let's take a look at ways of preserving battery power in field conditions. There are a couple of simple measures you can take to save your laptop's power. Kill all services you do not need when mapping the network (and you do not actually need them; we only leave syslog running). Do not run X Windows; running GUIs lays batteries to waste! In fact, close the laptop so that the screen is powered down. If you can, decrease the transmission power of your wireless card to the minimum (possible with Cisco Aironet and some other PCMCIA cards). We have found that if normally the laptop batteries last for slightly less than two hours while wardriving or walking, when everything just outlined is done, the batteries survive for possibly two-and-a-half hours (with Kismet and tcpdump running in the background). Consider dumping all the data to the RAM and setting the hard disk to turn off after a short period of inactivity. Most modern laptops have a decent amount of memory that should satisfy your packet dumping needs. Just don't forget that it is volatile storage, so leave enough battery power to sync the data back to the hard disk when done or shortly before the battery dies. Stick to the command line and you will save time and power and improve your typing skills. In addition, you can optimize your efficiency by writing necessary shell scripts beforehand or compiling the lists of commands for quick cutting and pasting with a need to replace only a few variables such as IPs, MAC addresses, or DSSS channels. As previously mentioned, avoid active scanning unless absolutely necessary (e.g., to test the IDS system or produce IDS signatures). The arguments presented here provide additional reasons supporting the preference for UNIX-like systems in wireless security auditing.