Re: Wireless Pent-Test

From: Michael J. Semaniuk (mike@semaniuk.com)
Date: Mon Oct 06 2003 - 11:09:47 EDT

• Next message: Steve De Doncker: "RE: Wireless Pent-Test"
• Previous message: Maxime Rousseau: "RE: Wireless Pent-Test"
• In reply to: Cesar Diaz: "Wireless Pent-Test"
• Next in thread: goat: "Re: Wireless Pent-Test"
• Reply: goat: "Re: Wireless Pent-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Cesar,

Implementing WEP is a good start. However, you need to be concerned about
the clients themselves as well. I would consider the use of a personal
firewall and VPN client in addition to WEP. You could use the personal
firewall to drop anything destined for the client, and you could force all
network traffic to come to the home office via an IPSec tunnel. The
encryption associated with IPSec is infinitely better than WEP, and will
protect your data better in the long run. Just a thought...

-Mike
----- Original Message -----
From: "Cesar Diaz" <cesadiz@yahoo.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, October 04, 2003 9:16 PM
Subject: Wireless Pent-Test

>
>
> Remote users in my company have been begging for permission to use
wireless NICs in their laptops for awhile now. When they are not on the
road, most of them work from home and would like to be able to use their
laptops anywhere in their house.
>
> Due to our industry and business requierements, we have to document every
process and method used to access our data and prove that we've tested the
security of our data.In order to let the users go wireless I have to show
that I've tested the security on a wireless network.
>
> Our idea is to let the users buy wireless routers to connect to their
cable/dsl routers and then wireless PCMCIA or USB cards on the laptop. We
would implement 128 bit WEP security to prevent unauthorized access. I
realize that WEP does not provide for stringent security, but we feel that
by forcing users to change their WEP key regularly we can meet our
requierements.
>
> My question is, how do I test WEP and document wether or not it's secure?
Any way to sniff for WEP keys, or to brute force attack a WEP session? If
there is, how hard is it to set up? How much of a risk of a wireless
connection with WEP enabled to be comprimised other than a dedicated, brute
force attack?
>
> Any information is greatly appreciated.
>
>
> Cesar
>
> --------------------------------------------------------------------------
-
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> --------------------------------------------------------------------------

--
>
>
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

• Next message: Steve De Doncker: "RE: Wireless Pent-Test"
• Previous message: Maxime Rousseau: "RE: Wireless Pent-Test"
• In reply to: Cesar Diaz: "Wireless Pent-Test"
• Next in thread: goat: "Re: Wireless Pent-Test"
• Reply: goat: "Re: Wireless Pent-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT