If you plan on taking the Security+ exam you should have a solid understanding of some wireless threats such as war driving and rogue access points. This blog assumes you understand basic wireless topics. If you need a review, check out these two blogs:
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.
Wireless Threats – War Driving
War driving is the practice of looking for a wireless network. While war driving is more common in cars, you can just as easily do it by walking around in a large city. Attackers use war driving to discover wireless networks that they can exploit and often use directional antennas (cantennas) to detect wireless networks with weak signals.
Administrators sometimes use war driving as part of a wireless audit. A wireless audit is a detective control and examines the signal footprint, antenna placement, and encryption of wireless traffic. These audits are useful at detecting weaknesses in wireless networks. For example, administrators can sometimes detect the existence of rogue access points and evil twins by war driving, and determine when their WAPs footprint extends too far.
Administrators use war driving techniques as part of a wireless audit. A wireless audit checks a wireless signal footprint, power levels, antenna placement, and encryption of wireless traffic. Wireless audits using war driving can detect rogue access points and identify unauthorized users.
Many current operating systems include software to identify wireless networks. For example, Microsoft’s Windows 7 includes tools that allow you to view details about wireless networks in range of the system. The software shows the SSID of the network, signal strength, and the security protocol used (such as WEP, WPA, or WPA2).
Occasionally people use war chalking to mark wireless networks. These are simple marks written in chalk, or painted on a wall as graffiti. For example two parentheses marks placed back to back as )( indicate an open Wi-Fi network, and an open circle with a W in the middle indicates a Wi-Fi network using WEP.
Wireless Threats – Rogue Access Points
Generically, you can think of a rogue as a scoundrel, crook, or a villain. A rogue access point is a WAP placed within a network by someone with some type of attack in mind. Clearly, if a rogue is a crook or villain, then rogue access points are not an administrator’s friend. You may also see them called counterfeit access points, which is also a clear indication they aren’t legitimate.
Attackers may connect a rogue access point to network devices in wireless closets that lack adequate physical security. This access point acts as a sniffer to capture traffic passing through the wired network device, and then broadcasts the traffic using the wireless capability of the WAP. The attacker can then capture the traffic from the parking lot.
Additionally, attackers may be able to use the rogue access point to connect into the wired network. This works the same way that regular users can connect to a wired network via a wireless network. The difference is that the attacker configures all the security for the counterfeit access point and can use it for malicious purposes.
Rogue (or counterfeit) access points are malicious. An evil twin is a rogue access point using the same SSID as a legitimate access point. While a secure WAP will block unauthorized users, a rogue access point provides access to unauthorized users.
If you discover an unauthorized WAP, you should disconnect it as quickly as possible. A basic first step to take when you discover any attack is to contain or isolate the threat. By simply unplugging an Ethernet cable, you can stop any attacks from an unauthorized WAP.
Often, administrators will use war driving tools to scan their networks for rogue access points. This can help identify the physical location of access points, since the signal will get stronger as the administrator gets closer. Some sophisticated war driving tools include directional antennas (such as cantennas) that an administrator (or an attacker) can use to locate a WAP.
Wireless Threats – Interference
Attackers can transmit noise or another radio signal on the same frequency used by a wireless network. This interferes with the wireless transmissions and can seriously degrade performance. Interference attacks like this are commonly called jamming.
In some cases, you can increase the power levels of the WAP to overcome the attack. However, it’s worth remembering that as you increase the power level, you increase the wireless footprint and become more susceptible to war driving attacks.
Another method of overcoming the attack is to use different wireless channels. Each wireless standard has several channels you can use, and if one channel is too noisy, you can use another one. While this is useful to overcome interference in home networks, it won’t be as effective to combat an interference attack. If you switch channels, the attacker can also switch channels.
An evil twin is a rogue access point with the same SSID as a legitimate access point. For example, many public places such as coffee shops, hotels, and airports include free Wi-Fi as a service. An attacker can set up a WAP using the same SSID as the public Wi-Fi network, and many unsuspecting users will connect to this evil twin.
Once a user connects to an evil twin, wireless traffic goes through the evil twin instead of the legitimate WAP. Often, the attacker presents bogus login pages to users in an attempt to capture usernames and passwords. Other times, they simply capture traffic from the connection, such as e-mail or text entered into a web page, and analyze it to detect sensitive information they can exploit.
While it may sound complex to set this up, it’s actually rather easy. Attackers can configure a laptop that has a wireless access card as a WAP. With it running, the attackers look just like any other user in a coffee shop or airport waiting area. They’ll have their laptop open and appear to be working (just like you perhaps), and you’ll have no idea they are trying to steal your credentials or other personal data that you send over the Internet via the evil twin.
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: (Learn by listening with over 4 1/2 hours of audio on Security+ topics)
- Flashcards: 31 Security+ Topic flashcards and 17 Security+ acronyms flashcards (free samples)
- Quality Practice Test Questions: Over 475 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards)