Of course some networks, such as public hotspots may not have any security mechanisms and encourage open connections, but the network may also include a private network as well. In this case, run tests to verify that client devices connecting to the public side of the network cannot access any sensitive resources. As part of analyzing the security vulnerabilities of a wireless network, run a TCP port scanner, such as SuperScan or Retina, to find open TCP or UDP ports that may offer security holes. SuperScan runs on a Windows laptop and scans all ports via the wireless network. Most of the time, SuperScan returns information (for example, IP address) about open port 80 (HTTP) interfaces on access points and printers, but it also finds other open ports made available by the installation of various applications.
When running penetration tests, use a port scanner with a test computer, which should be the same as the target client device, connected to the network at various locations, as follows:
- Scan test computer from within the same subnet: This test determines the extent to which a public wireless user can access user devices that are in the same subnet as another user. This scenario is common with public hotspots, where the hacker is connecting to the network from the same area as a targeted user (for example, from the same coffee shop). With the port scanner connected to the same subnet as the test computer, initiate a scan of all applicable TCP/UDP ports of the IP address of the test computer.
- Scan test computer from a different subnet: This test determines the extent to which a public wireless user can access user devices that are in a different subnet. This scenario is common with public hotspots, where the hacker is connecting to the network from a different area than a targeted user (for example, from different parts of an airport). With the port scanner connected to a different subnet as the test computer, initiate a scan of all applicable TCP/UDP ports of the IP address of the test computer.
- Scan test laptop located on a private subnet from a public subnet: This test determines the extent to which a public wireless user located on a public subnet can access devices that are on a private subnet. This scenario is applicable where a hacker is trying to compromise the security of users connecting to the protected side of the network. With the port scanner connected to the public subnet and the test computer connected to the private network, initiate a scan of all applicable TCP/UDP ports of the IP address of the test computer.
In addition to scanning a test computer, perform a scan of all devices that connect to the network, such as access points, controllers, switches, and application servers. In addition to wireless components, be certain to include devices that are not part of the wireless network, such as printers. If scanning all ports, you will probably need to limit the number of devices (by IP address) or the scanned ports to a limited set. Otherwise, the scans may run for days. Be sure to hit the more vulnerable ports, such as port 80. Before running the tests, talk to your local network security manager to decide which ports are most important to scan
Leave a Reply
You must be logged in to post a comment.