Proper Attack Timing and Battery Power
Preservation
Another very important part of planning a wireless penetration
test is timing. First of all, an appropriate time should be established with the
client company or organization so that disruptive testing (e.g., DoS attack
resilience tests) does not interfere with client business operations. However,
some forms of wireless security testing, including site surveying and WEP
cracking, must be done at the peak of WLAN usage. Estimate when users are most
likely to log in to the target network and when it is used the most. This will
help not only in WEP cracking (remember, the more traffic the better), but also
in post-decryption attacks, which involve user credentials and password
collection. Such attacks are very important to demonstrate to management both
the severe consequences of a wireless security breach and the necessity of using
secure protocols on a WLAN in a manner similar to protecting an insecure WAN
connection through a public or shared network.
An issue closely related to timing is battery power management
and estimation. How much time do you need to perform what you've planned to do?
Would you have enough battery power to accomplish it? WEP cracking is often a
time-consuming process, and when traffic injection is used to accelerate WEP
cracking and preserve time, additional battery power is spent transmitting the
injected packets. Thus, in terms of real-world cracking, traffic injection can
be a double-edged sword unless the cracker has a decent additional power source
(e.g., car battery). As a penetration tester you would usually be able to plug
your laptop into the corporate grid, but it might not have to be the case. An
ultimate penetration test is doing what the crackers do, and no one would (or at
least should) let a cracker plug his or her laptop into the company power socket
(although a cracker might use a socket in a pub or restaurant across the
street).
Let's take a look at ways of preserving battery power in field
conditions. There are a couple of simple measures you can take to save your
laptop's power. Kill all services you do not need when mapping the network (and
you do not actually need them; we only leave syslog running). Do not run X
Windows; running GUIs lays batteries to waste! In fact, close the laptop so that
the screen is powered down. If you can, decrease the transmission power of your
wireless card to the minimum (possible with Cisco Aironet and some other PCMCIA
cards). We have found that if normally the laptop batteries last for slightly
less than two hours while wardriving or walking, when everything just
outlined is done, the batteries survive for possibly two-and-a-half hours (with
Kismet and tcpdump running in the background). Consider dumping all the data to
the RAM and setting the hard disk to turn off after a short period of
inactivity. Most modern laptops have a decent amount of memory that should
satisfy your packet dumping needs. Just don't forget that it is volatile
storage, so leave enough battery power to sync the data back to the hard disk
when done or shortly before the battery dies. Stick to the command line and you
will save time and power and improve your typing skills. In addition, you can
optimize your efficiency by writing necessary shell scripts beforehand or
compiling the lists of commands for quick cutting and pasting with a need to
replace only a few variables such as IPs, MAC addresses, or DSSS channels. As
previously mentioned, avoid active scanning unless absolutely necessary (e.g.,
to test the IDS system or produce IDS signatures). The arguments presented here
provide additional reasons supporting the preference for UNIX-like systems in
wireless security auditing.
Sections
Archive
Syndication
