To get the most out of this book, you definitely need to follow along with as many of the examples as possible. To do that, you’ll need a good wireless test lab. The cost of wireless equipment has dropped drastically since its introduction. Today, a very effective lab could cost you as little as $500. Take into consideration that you (or the company you work for) probably already has what you need to test almost everything you read about in this book.

No, I’m not going to list every type of laptop you can buy. The wireless world has exploded so rapidly that you need to understand the security implications of all the new types of wireless clients. Ironically, some of the biggest security threats could come from client devices simply because they’re most often overlooked or ignored.

Smartphones and PDAs are everywhere and are only becoming more ubiquitous. These devices are covered in great detail later in the book, but for now consider that smartphones and PDAs are not just clients on your network that attackers can target (typically housing a large amount of sensitive data), but are also very stealthy attack tools for breaking into your wireless network. These devices are able to run advanced wireless attack tools and store the data while sitting neatly and covertly in a visitor’s pocket.

Many vendors offer printers with wireless technologies built right in. This provides a very interesting attack vector for a would-be intruder. If you connect the printer to your company’s otherwise secure network, does this provide an easy place to discover the wireless encryption password? Is the password stored securely on the printer, or can you simply print the configuration and view the password in plain text? If your printer is connected to your network using wired technologies but is broadcasting a default ad-hoc wireless SSID, can an attacker join the ad-hoc network and use the printer as a channel onto your wired network?

Access points have changed drastically since they first hit the market. Among other things, they’ve changed in size, functionality, bandwidth, and range. From an attacker’s perspective, two of the most interesting changes are that of physical size and feature set. These new full-featured and compact access points provide a very easy attack scenario with relatively low risk. You simply walk into a target organization, find an open network data jack, plug in your access point, and walk out. You then finish all your nefarious work from the parking lot, and the worst you’re risking is losing the access point if it’s discovered.

The DD-WRT website has the following to say about DD-WRT: “DD-WRT is a Linux-based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems.”

One of the most popular access points in both the small business and home market is the Linksys WRT54G (see Figure 2-1). The WRT54G retails for about $60 and supports the DD-WRT firmware, making it perfect for many small business deployments as well as small office/home office (SOHO) environments—or your home lab.

The Apple Airport Express provides a beautiful and compact form factor perfect for an attacker. It features a built-in plug for an electrical outlet, meaning you don’t need to carry an additional external power adapter. It has some other interesting features, including a USB port for a printer or USB drive.

Some vendors offer uber-portable access points perfect for dropping into a sensitive area. Not the least of which is the D-Link DWL-G730AP, which can be purchased for as little as $40. The D-Link DWL-G730AP is aptly named the “D-Link pocket router” because it is about three inches square and less than an inch high. The only downside to this model is the need for an external power adapter, which can be discovered or lost.

An interesting new product offering is what’s being called the “portable hotspot.” This nifty access point’s back-end transmission medium is actually the cellular network. An example is the Verizon 4G LTE mobile hotspot (see Figure 2-2). The back-end (or Internet) connection is a 4G connection that can reach download speeds of 1 Gbps.

Smartphones are no longer just clients accessing wireless networks but are also full-featured access points for other clients to connect to. Currently, the most versatile operating system for smartphones is the Android OS by Google (www.android.com), which is based on the Linux operating system. The processing power and storage available on these little devices is astounding, and you might be surprised at some of the tools already running on these phones. The previous scenario of an attacker offering “free wireless services” is even easier on a phone such as the Google Galaxy Nexus by Samsung, which has a 1.2 GHz dual-core processor, 1 GB of RAM and 16GB of storage! So saving all the captured network traffic right to the phone and then walking out the door is extremely easy—and, yes, Tcpdump has already been ported to work on the Android operating system.

Arguably the two biggest names in true enterprise-grade access points and wireless systems are Cisco and Aruba. Both offer an extensive array of wireless products—everything from antennas, access point enclosures, access points, access point controllers, and even software to help manage your wireless infrastructure.

Antennas are an important component of any wireless assessment, and understanding how they work will help you adjust your thinking about the physical security implications for wireless transmissions. The most important fact to keep in mind is that antennas increase the range for both sending and receiving data. This means that a laptop with an antenna doesn’t just send a stronger signal to the access point, but it can actually pick up weaker signals from the access point, thus increasing the distance it can be from that access point.

Antennas come in many different shapes and sizes, and some even have a few neat features that help security assessors. The two most important types for the security tester are directional and omnidirectional. Directional antennas, also commonly referred to as yagi antennas, radiate basically straight forward (and typically slightly askew to one side). They are best suited for “one-to-one” communication, where you can “point” at the target. Omnidirectional antenna’s essentially radiate outward evenly from the horizontal plane of the antenna. Take this with a grain of salt, though. In reality, the signal radiation pattern looks most similar to a donut with the antenna sticking up through the center of the donut. Mmm, delicious wireless technologies.

A plethora of other fun and interesting gadgets can be used to enumerate or penetrate wireless networks. Some of the more popular gadgets include the following:

Many available GPS units can integrate with wardriving software, allowing you to pinpoint where you first discovered and found the strongest signal for a wireless network. GPS devices, including the well-known Garmin models, offer many options, including the newer USB options. Figure 2-5 shows a Globalsat Bu-353 GPS, which is extremely compact easily fits in your hand, and has a magnet on the base of the unit.

One of the most exciting and interesting new wireless-enabled devices by far is the smartphone. The three main choices today for a smartphone with wireless tools are iPhones, Windows-based smartphones, and Android-based smartphones.

A few interesting little handheld devices work perfectly for the impromptu warwalking adventure. Although most don’t provide a whole lot of detail, often the SSID can be enough to enumerate an interesting target. For example, the Hotspotter device, retails for $50 from Canary Wireless, can display the wireless channel, the signal strength levels, and the encryption type in use. You can read more about the Hotspotter at Canarywireless.com.

Although a spectrum analyzer’s core functionality isn’t necessarily security related, some manufacturers bundle traffic-dumping software to allow you to see wireless communications. Spectrum analyzers give you data on the physical communications on a given wireless frequency. This can aid you in troubleshooting issues from congestion, range, and physical topology. Spectrum analyzers used to be prohibitively expensive, but nowadays very affordable and surprisingly easy-to-use options are available. One option is the Wi-Spy by Metageek. Wi-Spy offers a few options that range from $99 to $1,000 and come with a USB wireless card and the software to display the information in a nice graphical manner.

It might not be surprising that my operating system of choice for wireless security assessments is Linux; however, many tools can still be run from Windows. Additionally, many open-source tools can be run from the Mac OS, including some tools that are exclusive to the Mac OS.

In this chapter, we reviewed some of the fun toys available for connecting to, attacking, or offering wireless networks. We also reviewed some interesting items such as smartphones, miniature access points, and some unusual wireless clients. We reviewed some of the options for antennas as well.