Wi-Fi Vulnerability Assessment list

Vulnerability assessment helps you locate and fix WLAN vulnerabilities before attackers exploit them. But where does it start? What should I look? How to cover all the locations? In this list, TechTarget China experts will help you answer these questions.

1. Discover nearby wireless devices

If you know the device, you cannot evaluate the WLAN vulnerability. Start by searching for wireless devices inside and outside the office, and create the foundation for subsequent steps.
* Which channel has 2.4 GHz bandwidth of active traffic?
* Which channel has 2.4 GHz bandwidth of active traffic?
* Are there any non-802.11 interface resources in these frequencies?

For each known 802.11 access endpoint, record:
* Media Access Control (MAC) Address
* Extended Service Set Identifier (ESSID)
* Channel
* Average/maximum signal-to-noise ratio (SNR)

For each of the 802.11 workstations found, record:
* MAC address
* Associate ESSID
* Associate an access point or an equivalent Workstation
* Average/maximum SNR
* If visible, 802.1X identity
* Approximately positions and possible holders

2. investigate fraudulent attack Devices
For non-802.11 interference resources (such as microwave ovens, Bluetooth phones, and wireless phones), the spectrometer can help collect resource traces. For 802.11 devices, compare the survey results with your existing detailed directories to separate the unknown devices that require in-depth investigation. Note that searching for activities that are not commonly used in bandwidth and channels can help you find devices that are trying to escape detection. To learn more about how to investigate these "spoofing" devices and their risks to your WLAN, read the related tip "the secret to capturing fraudulent threats".

3. Test your own access endpoint

Next, focus your attention on your own WLAN resources, starting from the Access Point that sends wireless services to users. These access points are located on the network of devices that are not trusted. Similarly, they should also pass penetration tests on the Internet-oriented border firewalls and access routers. You should answer the following questions about each access point:
* Is the access point running the latest firmware and security patches?
* Has the default ESSID changed?
* Has the default Administrator Logon/password been changed?
* Is the administrator password easily cracked?
* Are there any powerful authentication options (such as private keys )?
* Is there any unnecessary port opened (such as Telnet, HTTP, SNMP, and TFTP)
* Are these open ports vulnerable to attacks?
* Is there an encrypted Management Interface (such as SSH and HTTPS )?
* Is Security Warning and daily (for example, system logs (sylogs) and traps activated )?
* Is there any unauthenticated protocol (such as ARP, RIP, SNMP, and NetBIOS) that uses a filter to prevent the transmission from passing through the access point to the wired network )?
* Is there a (use) filter that blocks the user from wireless access to the user?
* Does the Access Point use the appropriate ESSID and channel?
* Are the security parameters consistent with the rejection policy?
* If the Access Point uses WEP, how long does it take to crack the key?
* Has the access point published known vulnerability initialization vendor (IV?
* If the Access Point uses a pre-shared key (PSK), is it easy to crack?
* If the access point does not use WPA2, can the WPA2 update be obtained?
* Can an access point withstand a 802.11 Denial-of-Service attack (for example, authentication flood )?

4. Test your workstation

Some workstations may not be active during your investigation, so make sure that every 802.11-feature device in your asset details directory is checked, includes laptops, desktop computers, PDAs, VoIP phones, printers, scanners, and headphones or headphones. You may want to "ping scan" the wireless subnet to determine the location of the secret device that escaped earlier checks. Then, answer the following questions about each of your wireless workstations:
* Does the workstation run the latest operating system and application security patches?
* Is a boot program or operating system authentication used to prevent loss, theft, or unintentional use?
* Is the current anti-virus program and anti-spyware program running?
* Is the wireless interface protected by the personal firewall?
* Is there any unnecessary port (such as netbios-ns/ssn, microsoft-ds, and ssdp) enabled )?
* Is there any unnecessary protocol for wireless connection (such as file/printer sharing )?
* Are possible wireless intrusions (for example, blocked sessions) counted into logs?
* Are wireless customers associated with ANY networks? ANY special?
* Does the user automatically focus on the household or hotspot SSID?
* Does the disk retain the trust (for example, password) of wireless users?
* Does the workstation scan the appropriate bandwidth and use the appropriate ESSID?
* Are the security parameters consistent with the defined policy?
* Has the workstation published known Vulnerability IV?
* If the workstation uses 802.1X, is the authentication visible?
* If 802.1X is used, check the server certificate?
* If WPA2 is not used, can the WPA2 update be obtained?
* Is the configuration appropriate if VPN clients are used on the wireless network?

5. Test Your WLAM Architecture

Finally, evaluate the security of all network architecture devices in the wireless subnet, includes wireless switches, firewalls, VPN gateways, DNS servers, DHCP servers, RADIUS servers, Web servers running the logon page of the captured entries, and Ethernet switches.

Like access points, all these devices should pass penetration tests that normally run Internet-facing servers. For example, the captured entry should pass the test that typically runs the DMZ Web server. This includes testing programs/versions of known vulnerabilities to be patched based on the design evaluation.

Most architecture tests are not wireless-specific, but additional tests may be suitable for 802.1X architectures. For example, you may want to test the RADIUS server function to reject EAP information in the incorrect format, including harmful EAP length and depth.

6. Use the test results

Unfortunately, there is no list to help you with the last step. Now we should review the test results and evaluate the vulnerabilities that you may not have discovered. Eliminate possible vulnerabilities and reduce the chance of exploiting other vulnerabilities. For example, if you find remote Logon at the access point, you can decide whether to stop the service or how to stop it. Can you use SSH instead of remote logon to manage access points? Can you restrict SSH to Ethernet so that the background program for wireless mail sending and receiving is not detected?

Once you use a fix, repeat the test to verify that the result is what you want now. Ideally, vulnerability evaluations should be conducted regularly to detect and evaluate changes to new wireless devices and configurations. Also, look for opportunities to automate tests to make them faster, more consistent, and more rigorous.