After completing recon, Rapid7 prioritized targets see Appendix C: Attack Model, and determined that the open and WEP encrypted access points would be the simplest vector into the networ
Trang 1
Wireless Security Assessment Report
July 15, 2008
Trang 2Penetration Test Report 2 | P a g e
Table of Contents
1.0 Executive Summary 4
2.0 Corporate Profile 5
3.0 Reporting and Assessment Methodology 6
3.1 Assessment Methodology 7
Methodology 7
Tools Used 8
3.2 Reporting Methodology 9
Structure 9
Understanding the Findings 9
4.0 Assessment Scope 11
5.0 Findings and Recommendations 12
5.1 DREAD Scoring Criteria (Key) 13
5.2 DREAD Composite Risk Categories (Key) 14
5.3 Remediation Effort Level (Key) 14
5.4 Findings Matrix 15
5.5 Critical Findings and Vulnerabilities 16
Finding: Open Access Point (ACME) 17
Finding: WEP Encryption in use (ACMENC) 19
6.0 Assessment Details 21
Recon Phase 22
Attack Phase 25
Network Survey Phase 27
7.0 Appendix A: Project Plan 29
8.0 APPENDIX B: Attack Model 30
9.0. APPENDIX C: Range Maps 31
Beverly Hills Headquarters 32
Beverly Hills District Office 34
Beverly Hills Training Facility 35
Trang 3Customer Information
Company Name: ACME Inc
Contact Name: Michael Bolton Title: Manager
Telephone: E‐mail: Michael@ACMEINC.com
Trang 4Penetration Test Report 4 | P a g e
1.0 EXECUTIVE SUMMARY
On April 30, 2008, Acme, Inc contracted with Rapid7 Professional Services to perform an on‐site wireless assessment. The goal of the assessment was to provide Acme with an independent evaluation of their wireless security posture from an external attacker’s standpoint. This document contains the results of the assessment’s findings.
Rapid7 began the wireless assessment for Acme on June 24, 2008. The main contacts was Michael Bolton. Two sites were in scope for the assessment (Beverly Hills Headquarters and Beverly Hills District Office). Another site was added mid‐assessment (Beverly Hills Training Facility).
The assessment began with reconnaissance of the Acme network. A wardrive (scan), of the buildings was completed (see range maps in Appendix D) to determine possible targets. Rapid7 noticed a large number of WPA/Radius (strong) encrypted access points and a smaller number of WEP (weak)
encrypted access points with the name “ACMENC.” The presence of several open networks was also noted. These findings were later confirmed by Michael.
After completing recon, Rapid7 prioritized targets (see Appendix C: Attack Model), and determined that the open and WEP encrypted access points would be the simplest vector into the network. With targets
in place, Rapid7 moved on to the attack phase of the assessment.
The first major finding of the assessment was an open access point, “ACME.” This access point provided full access to the Acme internal network. More details are included in the findings section, however, the remediation is as simple as disabling the wireless transmitter on the device.
The second major finding of the assessment was (easily broken) WEP encryption in use on a Acme (ACMENC) access point. Despite the fact that all Acme traffic and data passing over the network was encrypted with a 128 bit WEP key, an experienced attacker could likely penetrate the Acme network within an hour, and a less experienced attacker or simply a curious observer could gain access within a day. More details are included in the findings section.
The result of the wireless assessment was total access to the internal network. This access was
obtained using open source tools, and well‐known methods for attack (think: videos on youtube). Given sufficient time, it is likely an attacker could compromise the entire network and all Acme data.
While connected to the internal network, Rapid7 attempted to authenticate to several machines. These failed authentication attempts were noticed by Acme staff, however, an experienced attacker with sufficient time could easily evade such detection.
In short, the only permanent solution to the weak wireless security is to upgrade all devices to
stronger encryption schemes. Ideally, each WAP would be WPA‐encrypted with a Radius server for
authentication. Other potential (temporary) solutions include segmenting the wireless network from the wired network, or disabling it all together.
Trang 52.0 CORPORATE PROFILE
Founded in 2006, ACME Inc. has production and research facilities across the globe.
Trang 6Penetration Test Report 6 | P a g e
3.0 REPORTING AND ASSESSMENT METHODOLOGY
This section of the report details the methodology used by Rapid7 to gather results and to report them.
It presents the process, timeline, and tools behind the assessment. Additionally, this section details the report’s structure and workflow.
Trang 73.1 Assessment Methodology
The assessment consisted of three major phases: Reconnaissance, Attack (Penetration Testing), and Range Surveying. These are detailed below. See the assessment details section for the walkthrough of each phase.
2 Analysis of available networks – Silently gather information about WAPs and clients
using each WAP. Determine if network is in scope for the assessment
3 Gather Network and Access Point (AP) Information – Gather and store details for all
networks under test. – Use packet captures to record traffic passing over the network.
Attack (Penetration Testing) Phase
Rapid7’s attack methodology is designed to gain access to the network as quietly and painlessly as a possible. The following steps are completed during attack. (This phase is left intentionally open‐ended, the attack phase depends on many factors and must be left open‐ended) .
1 Survey with typical wireless card, omni‐directional antenna, and GPS.
2 Survey with typical wireless card, directional antenna, and GPS.
Trang 8Penetration Test Report 8 | P a g e
• Nmap 4.6 – Surveying Tool. ‐ Used to survey the network after gaining access
• Wireshark – Sniffing Tool. ‐ Used to survey & analyze the internal network after gaining access
• Dsniff – Sniffing Tool. ‐ Used to sniff for passwords on the internal network after gaining access
Trang 9
A provided findings matrix summarizes the overall findings and can be used as a workflow plan that can
be tracked within the security organization. This plan is intended to assist the remediation team in prioritizing and tracking the remediation effort. Each finding has been categorized according to its relative risk level and also contains a rating as to the amount of work and resources required in order to address the finding.
Trang 10Penetration Test Report 10 | P a g e
It is important to reiterate that this report represents a “snapshot” of the security posture of the
environment at a point in time.
Trang 12Penetration Test Report 12 | P a g e
5.0 FINDINGS AND RECOMMENDATIONS
Rapid7 has identified a number of areas where security could be improved, and recommendations have been provided for consideration. This section of the report describes the details of Rapid7’s
observations, the impact associated with the vulnerabilities identified, and recommendations for
resolving these vulnerabilities. To assist in prioritizing these findings, Rapid7 has categorized the
observations with risk rankings based on the DREAD model. A scoring criteria and key for the DREAD model is provided below.
Each vulnerability or finding is assigned a composite Risk Score, calculated by adding each of the DREAD components producing a number between 5 and 50.
Trang 135.1 DREAD Scoring Criteria (Key)
Damage Criteria Damage
Description
Critical (Score: 10)
High (Score: 7)
Medium (Score : 4)
Low (Score :1)
D Damage
Potential
The level of damage and exposure that could be cased
if a vulnerability were exploited
An attacker can gain full access to the system;
execute commands
as root/administrator
An attacker can gain non‐
privileged user access; leaking extremely sensitive information
Sensitive information leak;
Denial of Service
Leaking trivial information
R Reproducibility The level of
difficulty in reproducing an attack
The attack can be reproduced every time and does not require a timing window.
The attack can be reproduced most
of the time.
The attack can be reproduced, but only with a timing window.
The attack is very difficult to reproduce, even with knowledge of the security hole.
E Exploitability The ease to
which the attack could be launched
No programming skills are needed;
automated exploit tools exist
A novice hacker/programmer could execute the attack in a short time.
A skilled programmer could create the attack, and a novice could repeat the steps.
The attack required a skilled person and in‐depth knowledge every time to exploit.
A Affected Users The volume of
users and assets that are
affected in a successful attack scenario
All users, default configuration, key customers
Most users;
common configuration
Some users; non‐
standard configuration
Very small percentage of users; obscure features; affects anonymous users
D Discoverability The level of
difficulty involved in enumerating the
vulnerability
Vulnerability can be found using automated scanning tools.
Published information explains the attack. The vulnerability is found in the most commonly used feature.
The vulnerability
is in a seldom‐
used part of the product, and few users would come across it.
The vulnerability is obscure and it
is unlikely that
it would be discovered.
Trang 14Penetration Test Report 14 | P a g e
5.2 DREAD Composite Risk Categories (Key)
RISK RATING DREAD SCORE RISK DESCRIPTION
CRITICAL 40‐50 A critical finding or vulnerability should be considered immediately
for review and resolution. Exploitation of critical vulnerabilities is relatively easy and can lead directly to an attacker gaining privileged access (root or administrator) to the system. Findings with this risk rating, if not quickly addressed, may pose risks that could negatively impact business operations or business continuity.
SEVERE 25‐39 A severe finding or vulnerability should be considered for review
and resolution within a short time frame. These vulnerabilities can lead to an attacker gaining non‐privileged access (standard user) to
a system, or the vulnerability can be leveraged to gain elevated level of access.
MODERATE 11‐24 Moderate risk finding or vulnerabilities should be considered once
the high critical and severe risks have been addressed. These vulnerabilities may leak sensitive data that an attacker can use to assist in the exploitation of other vulnerabilities. Moderate findings
MODERATE
One to several days requiring moderate amounts of resources
LOW Less than a day requiring only a minimal amount of resources
Trang 16Penetration Test Report 16 | P a g e
5.5 Critical Findings and Vulnerabilities
Rating 40 -50
A critical finding or vulnerability should be considered immediately for review and resolution.
Exploitation of critical vulnerabilities is relatively easy and can lead directly to an attacker gaining
privileged access (root or administrator) to the system. Findings with this risk rating, if not quickly addressed, may pose risks that could negatively impact business operations or business continuity.
Trang 17Finding: Open Access Point (ACME)
DREAD Score Summary Damage
Potential
ibility
Reproduc- ability
Exploit-Affected Users
ability
Proof
Below are two screenshots depicting connections to the open access point ‘ACME.’ The first screenshot shows airodump and wireshark capturing packets on the network:
Trang 18Penetration Test Report 18 | P a g e
The second screenshot shows an nmap scan against the internal network (after connection):
Discussion
The ‘ACME’ access point was discovered early in the assessment, during the recon phase This
AP immediately stood out from the others because of its unique name (it was mainly surrounded
by ‘bhnetwork’ and <no ssid>) and signal strength coming from the northeast corner of the Acme Headquarters building
The device provides direct access to the internal Acme network Obviously, this is a big risk to the security of the network A novice attacker or curious observer would have no trouble
connecting to the internal network and sniffing for passwords and other sensitive data
After a discussion with Michael, it was decided that the AP is probably a vendor-provided
device The device’s SSID is likely its default, and is probably manufactured by ACME
(http://www.ACME.com)
Recommendations
• Disable the rogue access point
• Enable protection mechanisms (encryption, secure passwords) if the device cannot
be disabled
Trang 19Finding: WEP Encryption in use (ACMENC)
DREAD Score Summary Damage
Potential
ibility
Reproduc- ability
Exploit-Affected Users
ability
Proof
Below is a screenshot from aircrack-ng showing the successful crack This password was
confirmed by Michael Bolton:
Discussion
WEP encryption was cracked on Day 3 of the engagement, after approximately one hour of traffic collection and 3 – 4 hours of cracking attempts with other tools However, these other tools are more simplistic versions of the aircrack-ng tools, and likely would not be used by an experienced attacker
The cracked WEP key was 128-bits (the largest possible for WEP encryption), however, it could not withstand even a relatively simplistic (and well known) attack The encryption protection offered via WEP is well-known to be flawed, and will not prevent interested and curious parties, much less an experienced attacker.WEP encryption is misleading in its offer for protection and
privacy and simply should not be used to protect any form of confidential information
Recommendations
Trang 20Penetration Test Report 20 | P a g e
• Immediately disable any access points using WEP
• Replace WEP Aps with WPA / Managed (Radius) AP’s
Trang 216.0 ASSESSMENT DETAILS
This section is designed to provided
The Acme Wireless Security assessment was completed in three phases. The first phase, Recon, is designed to enumerate potential vectors of attack. The second phase, Attack, is designed to gain and utilize those vectors to gain access The third and final phase is designed to generate accurate signal maps. The assessment was completed onsite in Beverly Hills on Tuesday, June 24th – Friday, June 27th.
Trang 22Penetration Test Report 22 | P a g e
Recon Phase
The initial recon was completed on foot with a simple ‘wireless finder’device. After locating the Beverly Hills Headquarters, Rapid7 mapped and confirmed the existence of 2.4Ghz networks in the area. The three buildings at the headquarters were each assessed for wireless access points. After confirming that each building had a wireless access point, Rapid7 proceeded to enumerate access points in each area. Rapid utilized an ALFA 500mW wireless card and 7dBi antenna to obtain results during the recon phase.
It was observed that wireless signals were of sufficient strength to utilize a low‐profile omnidirectional antenna to obtain results. While a directional antenna could be used to obtain signals at further lengths,
it is likely an attacker could remain unobserved by utilizing a common wardriving antenna.
Below is a screenshot showing the recon data in kismet:
While on‐site, Rapid7 was able to obtain results and remain relatively stealthy until the middle of the second day, when utilizing a directional antenna to supplement recon. Whitney Houston, an employee
of Acme noticed the car, and the antenna jutting out of the car. He came over to “see if he could help.”
While this is a good thing, it is likely an attacker would be able to obtain results without being noticed.
The results of the preliminary recon are provided below. More information can be obtained by viewing the XLS file (recon.xls) accompanying the report. Note: This list was originally provided to Michael via email. In that email, Shelby and Stanley APs were swapped. This has been corrected.