Vulnerabilities are weaknesses, and by reducing vulnerabilities, you can reduce risks. If you’re planning to take the SY0-401 version or the SY0-501 version of the Security+ exam, you should have a basic understanding of using appropriate vulnerability assessment tools that assess the security posture of an organization.
For example, can you answer this question?
Q. You suspect that a user is running an unauthorized AP within the organization’s building. Which of the following tools is the BEST choice to see if an unauthorized AP is operating on the network?
A. Rogue system
B. Wireless scanner
C. Password cracker
D. Penetration test
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Password Crackers
A password cracker attempts to discover a password. Passwords are typically encrypted or hashed so that they aren’t easily readable. Some methods are stronger than others. If passwords are protected with weak methods, a password cracker can discover the password.
As an example, Message Digest 5 (MD5) is a hashing algorithm. When executed against a passwordofP@ssw0rd, it creates the following MD5hash:161ebd7d45089b3446ee4e0d86dbcf92. A password cracker can analyze the MD5 hash of 161ebd7d45089b3446ee4e0d86dbcf92 and discover the actual password of P@ssw0rd. There are many of the common methods used to crack passwords. The point here is that password crackers are one of the tools security administrators use during a vulnerability assessment.
There are two categories of password crackers—offline and online:
- An offline password cracker attempts to discover passwords by analyzing a database or file containing passwords. For example, attackers often obtain large volumes of data during a data breach. This includes files that include hashed or encrypted passwords. They can then analyze the protected passwords to discover the actual passwords. A key benefit of an offline password cracking attack is that attackers have unlimited time to analyze the passwords.
- An online password cracker attempts to discover passwords by guessing them in a brute force attack. For example, some online password crackers attempt to discover the passwords for specific accounts by trying to log on to the accounts remotely. Other online password crackers collect network traffic and attempt to crack any passwords sent over the network.
Network Mapping
Network mapping discovers devices on the network and how they are connected with each other. It is often done as part of a network scan, but it only focuses on connectivity. In contrast, a full network scan also includes additional scans to identify open ports, running services, and OS details.
Some tools, such as Zenmap, provide you with a graphical representation of the network.
Wireless Scanners/Cracker
Administrators often perform site surveys while planning and deploying a wireless network. Security personnel periodically repeat the site survey to verify the environment hasn’t changed.
Wireless scanners can typically use both passive and active scans. When using a passive scan, a scanner just listens to all the traffic being broadcast on known channels within the 2.4 GHz and 5 GHz frequency ranges.
The figure shows a screenshot from Acrylic Wi-Fi Professional, a wireless scanner with many capabilities. As with many scanners, it can collect and report quite a bit of information on local APs.
Acrylic Wi-Fi Professional
The following bullets describe some of the columns in the figure:
- SSIDs. A scanner will detect the service set identifier (SSID) of all access points within range of the scanner.
- MAC addresses. It shows the MAC, or hardware address of the AP.
- Signal strength. The signal strength typically identifies how near (or how far away) the AP is in relation to the computer performing the scan.
- Channels. This helps administrators determine if nearby APs are broadcasting on the same channel, causing interference.
- Channel widths. A channel is typically 20 MHz wide, but when an AP is using two channels, it is 40 MHz. The scanner will show this information.
- Security. The scanner will show if the AP is in Open mode or using one of the other wireless cryptographic protocols: Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2).
When using an active scan, a wireless scanner acts like a scanner/cracker and can gain more information about an AP by sending queries to it. As an example, a WPS attack keeps guessing PINs until it discovers the eight-digit PIN used by an AP. It can then use this to discover the pre-shared key (PSK) used by the AP. Various wireless scanners have other capabilities, including password crackers using other methods.
Rogue System Detection
Rogue APs are APs placed into service without authorization. As long as an administrator knows what APs are authorized, it’s easy to discover rogue APs with a wireless scan. Administrators often perform site surveys while planning and deploying a wireless network. As an example, the figure shows all the SSIDs it has detected.
Administrators can investigate any unknown SSIDs. The received signal strength indicator (RSSI) shows the strength of the signal. A lower negative number (closer to zero) is stronger than a higher negative number. By installing the wireless scanner on a laptop and walking around an organization, you can locate rogue APs. As you move closer to a rogue AP, the signal becomes stronger. As you move farther away from it, the signal becomes weaker.
Q. You suspect that a user is running an unauthorized AP within the organization’s building. Which of the following tools is the BEST choice to see if an unauthorized AP is operating on the network?
A. Rogue system
B. Wireless scanner
C. Password cracker
D. Penetration test
Answer is B. A wireless scanner can detect all of the wireless access points (APs) running on a network. By comparing this with a list of authorized APs, you can detect unauthorized APs.
A rogue system is an unauthorized system, but it isn’t used to detect unauthorized APs.
A password cracker can often crack passwords used by APs, but it isn’t used to detect rogue APs.
A penetration test attempts to exploit known vulnerabilities, but it isn’t used to detect rogue APs.
If you’re studying for the SY0-501 version of the exam, check out the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide.