PenetrationTestReport1|Page       ACME, Inc   WirelessSecurityAssessmentReport  July15,2008 PenetrationTestReport2|Page   TableofContents  1.0ExecutiveSummary 4 2.0CorporateProfile 5 3.0ReportingandAssessmentMethodology 6 3.1AssessmentMethodology 7 Methodology 7 ToolsUsed 8 3.2ReportingMethodology 9 Structure 9 UnderstandingtheFindings 9 4.0AssessmentScope 11 5.0FindingsandRecommendations 12 5.1DREADScoringCriteria(Key) 13 5.2DREADCompositeRiskCategories(Key) 14 5.3RemediationEffortLevel(Key) 14 5.4FindingsMatrix 15 5.5CriticalFindingsandVulnerabilities 16 Finding:OpenAccessPoint(ACME) 17 Finding:WEPEncryption inuse(ACMENC) 19 6.0AssessmentDetails 21 ReconPhase 22 AttackPhase 25 NetworkSurveyPhase 27 7.0AppendixA:ProjectPlan 29 8.0APPENDIXB:AttackModel 30 9.0.APPENDIXC:RangeMaps 31 BeverlyHillsHeadquarters 32 BeverlyHills DistrictOffice 34 BeverlyHillsTrainingFacility 35 PenetrationTestReport3|Page   Customer Information CompanyName: ACMEInc ContactName: MichaelBolton Title: Manager Telephone:  E‐mail: Michael@ACMEINC.com BusinessAddress: 2100RockefellerBoulevardSuite19BMailstop6 City: BeverlyHills State/Province CA ZIP: 90210 URL: Http://www.acme‐not‐a‐real‐domain.com Consultant Information CompanyName: Rapid7,LLC. ContactName: Title:  Telephone: E‐mail: BusinessAddress: 545BoylstonSt City: Boston State/Province: MA ZIP: 02116 URL: http://www.rapid7.com ‘ PenetrationTestReport4|Page  1.0 EXECUTIVE SUMMARY OnApril 30, 2008, Acme, Inc contracted withRapid7ProfessionalServicestoperformanon‐sitewireless assessment.Thegoaloftheassessmentwastoprovide Acmewithanindependentevaluationoftheir wirelesssecurityposturefromanexternalattacker’sstandpoint.Thisdocumentcontainstheresultsof theassessment’sfindings. Rapid7beganthewirelessassessmentforAcmeonJune24,2008.ThemaincontactswasMichael Bolton.Twositeswereinscopefortheassessment(BeverlyHills HeadquartersandBeverlyHillsDistrict Office).Anothersitewasaddedmid‐assessment(BeverlyHillsTrainingFacility). TheassessmentbeganwithreconnaissanceoftheAcmenetwork.Awardrive(scan),ofthebuildings wascompleted(seerangemapsinAppendixD)todeterminepossibletargets.Rapid7noticedalarge numberofWPA/Radius(strong) encryptedaccesspointsandasmallernumberofWEP(weak) encryptedaccesspointswiththename“ACMENC.”Thepresenceofseveralopennetworkswasalso noted.ThesefindingswerelaterconfirmedbyMichael. Aftercompletingrecon,Rapid7prioritizedtargets(seeAppendixC:AttackModel),anddeterminedthat theopenand WEPencryptedaccesspointswouldbethesimplestvectorintothenetwork.Withtargets inplace,Rapid7movedontotheattackphaseoftheassessment. Thefirstmajorfindingoftheassessmentwasanopenaccesspoint,“ACME.”Thisaccesspointprovided fullaccesstotheAcmeinternalnetwork.More detailsareincludedinthefindingssection,however,the remediationisassimpleasdisablingthewirelesstransmitteronthedevice. Thesecondmajorfindingoftheassessmentwas(easilybroken)WEPencryptioninuseonaAcme (ACMENC)accesspoint.DespitethefactthatallAcmetrafficanddata passingoverthenetworkwas encryptedwitha128bitWEPkey,anexperiencedattackercouldlikelypenetratetheAcmenetwork withinanhour,andalessexperiencedattackerorsimplyacuriousobservercouldgainaccesswithina day.Moredetailsareincludedinthefindingssection.  Theresultof thewirelessassessmentwastotalaccesstotheinternalnetwork.Thisaccesswas obtainedusingopensourcetools,andwell‐knownmethodsforattack(think:videosonyoutube).Given sufficienttime,itislikely anattackercouldcompromisetheentirenetworkandallAcmedata. Whileconnectedtotheinternal network,Rapid7attemptedtoauthenticatetoseveralmachines.These failedauthenticationattemptswerenoticedbyAcmestaff,however,anexperiencedattackerwith sufficienttimecouldeasilyevadesuch detection. Inshort,theonlypermanentsolutiontotheweakwirelesssecurityis toupgradealldevicesto strongerencryptionschemes.Ideally, eachWAPwouldbeWPA‐encryptedwithaRadiusserverfor authentication.Otherpotential(temporary)solutionsincludesegmentingthewirelessnetworkfromthe wirednetwork,ordisablingitalltogether. PenetrationTestReport5|Page  2.0 CORPORATE PROFILE Foundedin2006,ACMEInc.hasproductionandresearchfacilitiesacrosstheglobe. PenetrationTestReport6|Page  3.0 REPORTING AND ASSESSMENT METHODOLOGY ThissectionofthereportdetailsthemethodologyusedbyRapid7togatherresultsandtoreportthem. Itpresentstheprocess,timeline,andtoolsbehindtheassessment.Additionally,thissectiondetailsthe report’sstructureandworkflow. PenetrationTestReport7|Page  3.1 Assessment Methodology Theassessmentconsistedofthreemajorphases:Reconnaissance,Attack(PenetrationTesting),and RangeSurveying.Thesearedetailed below.Seetheassessmentdetailssectionforthewalkthroughof eachphase. Methodology Reconnaissance Phase Rapid7’sreconmethodologyisdesignedtogatherasmuchinformationaboutthetarget networkasquicklyandasquietlyaspossible.Thefollowingstepsarecompleteddurin grecon: 1. InitialObservations–Conductedonfootorinacar,using ahandhelddeviceorlaptop togathersignalstrengthanda listingofavailablewirelessnetworks  2. Analysisofavailablenetworks–SilentlygatherinformationaboutWAPsandclients usingeachWAP.Determineifnetworkisinscopefortheassessment  3. GatherNetworkandAccessPoint(AP)Information–Gatherandstoredetailsforall networksundertest.– Usepacketcapturestorecordtrafficpassingoverthenetwork.  Attack (Penetration Testing) Phase Rapid7’sattackmethodologyisdesignedtogainaccesstothenetworkasquietlyand painlesslyasapossible.Thefollowingstepsarecompletedduringattack.(Thisphaseis leftintentionallyopen‐ended,theattackphasedependsonmanyfactorsandmustbe leftopen‐ended). 1. Usedatagatheredwithinthereconphasetoenumerateprioritylistoftargets. 2. Survey&sniffopenaccesspoints(ifavailable). 3. BreakWEP/WPAencryptionifavailable. 4. PreparefakeRADIUSServerforWPA/managedAP’s. 5. LaunchMiTMattacks. 6. Useotherattackpatternsasappropriate. Range Survey Phase Rapid7’srangesurveyisdesignedtogatherinformationaboutthesignalspreadofaparticular wirelessnetwork.Thisinformationisthenconsolidatedintosignalmaps 1. Surveywithtypicalwirelesscard,omni‐directionalantenna,andGPS. 2. Surveywithtypicalwirelesscard,directionalantenna,andGPS. PenetrationTestReport8|Page  3. Generatesignalmapsusinggathereddataandmappingutility. Tools Used Hardware • DellXPSM1210w/Intel3945CentrinoWireless • LenovoT60Pw/Intel3945CentrinoWireless • AlfaUSB500mWAWUS036H(WirelessAdapter) • UbiquitiSRC300mW(WirelessAdapter) • 2.4GHz12dBiRadomeEnclosedYagiAntenna • 2.4GHz7dBiVehicleMountOmniAntenna • 2.4 GHz9dBiVehicleMountOmniAntenna Software • Backtrack3.0–OS.‐Usedasahostforothertools • VMWareWorkstation–Hypervisor‐.UsedtohostBacktrackVM • Windows2003–OS.‐UsedtohostBacktrackVM • Kismet–ReconTool.‐Usedtosurveythewirelessnetworkaccesspoints&client • GPSMap– ReconTool.‐Usedtographicallydepictthewirelessaccesspoints • Wesside–AttackTool.‐Used(unsuccessfully)tobreakWEPencryption • SpoonWEP–AttackTool.‐Used(unsuccessfully)tobreakWEPencryption • Aircrack‐NG–AttackToolSuite(airodump,aireplay,aircrack).‐Used(successfully)tobreak WEPencryption • Nmap4.6– SurveyingTool.‐Usedtosurveythenetworkaftergainingaccess • Wireshark–SniffingTool.‐Usedtosurvey&analyzetheinternalnetworkaftergaining access • Dsniff–SniffingTool.‐Usedtosniffforpasswords ontheinternalnetworkaftergaining access PenetrationTestReport9|Page  3.2 Reporting Methodology Structure Thereportisorganizedintothefollowingsections: 1.0ExecutiveOverview–Ahigh‐leveloverviewofthefindingsfromtheassessment.This sectiongivesthereaderaviewofthemajorissuesdiscovered. 2.0CorporateProfile–Adescriptionofthebusinessbeingtested. 3.0ReportingandMethodology–An explanationofthemethodologyusedfortheassessment andtherationalebehindthereporting.(Thissection) 4.0ScopeofAssessment–Exactspecificationonthescopeoftheassessment.Thissection detailswhatwascovered,andmoreimportantly,whatwasNOTcovered. 5.0FindingsandRecommendations–Anin‐depthrating andanalysisofkeyissuesdiscovered duringtheassessment. 6.0AssessmentDetails–Astep‐by‐stepbreakdownofworkcompletedduringtheassessment. Thissectionwalksthroughtheprocessofthewirelessassessment,detailingobservationsmade ineachphase. 7.0Appendix:ProjectPlan–Approvedprojectplanforthe assessment. 8.0Appendix:AttackModel–Attackmodelgeneratedduringtheassessment.Listspotential attackvectors 9.0Appendix:RangeMaps–Wirelessrangemapsofthesitesinscope. Understanding the Findings Ratherthanreporteachmissingpatchasvulnerability,thisreportdescribesrisksandfindingsusingthe DREADModel.Afindingisalogicalgroupingofoneormoresecurityissue(s)havingacommoncause and/oracommonresolution.Inadditiontoidentifyingtheunderlyingcause(s),eachfindingalso containshyperlinkedreferences toresourcesandprovidesdetailedremediationinformation.  Aprovidedfindingsmatrixsummarizestheoverallfindingsandcanbeusedasaworkflowplanthatcan betrackedwithinthesecurityorganiza tion.Thisplanisintendedtoassisttheremediationteamin prioritizingandtrackingtheremediationeffort.Eachfindinghas beencategorizedaccordingtoits relativerisklevelandalsocontainsaratingastotheamountofworkandresourcesrequiredinorderto addressthefinding. PenetrationTestReport10|Page   Itisimportanttoreiteratethatthisreportrepresentsa“snapshot”ofthesecuritypostureofthe environmentatapointintime. [...]... The  next attack was to crack the WEP access point located in the Stanley Building. Rapid7 began by  utilizing relatively new tools, Wesside and SpoonWEP. These tools are entirely automated attacks,  designed to make cracking a network as simple as clicking a button. Below are screenshots of these  attacks:    [SCREENSHOT REMOVED FOR SAMPLE REPORT]   Wesside failing to gather sufficient network traffic to crack the password.    [SCREENSHOT REMOVED FOR SAMPLE REPORT]   SpoonWEP failing to gather sufficient IV’s to crack the wireless password. ... After the scoping call and an initial on‐site meeting, it was decided to focus solely on wireless from an  external attacker’s standpoint.   Penetration Test Report    11 | P a g e     5.0 FINDINGS AND RECOMMENDATIONS Rapid7 has identified a number of areas where security could be improved, and recommendations have  been provided for consideration. This section of the report describes the details of Rapid7 s  observations, the impact associated with the vulnerabilities identified, and recommendations for ... Penetration Test Report    21 | P a g e     Recon Phase The initial recon was completed on foot with a simple ‘wireless finder’device. After locating the Beverly  Hills Headquarters, Rapid7 mapped and confirmed the existence of 2.4Ghz networks in the area. The  three buildings at the headquarters were each assessed for wireless access points. After confirming that  each building had a wireless access point, Rapid7 proceeded to enumerate access points in each area. ... ng.org/doku.php?id=simple_wep_crack/. Needless to say, the attack can be done by anyone with  enough free time to read the documentation and buy the necessary hardware (read: almost anyone). A  screenshot of the successful key crack is shown below:    [SCREENSHOT REMOVED FOR SAMPLE REPORT]   Penetration Test Report    25 | P a g e     After moving to the aircrack‐ng suite, the attack took approximately 1 hour. In total, the attack phase  consisted of approximately a day.This attack was completed from within the Stanley building, at ... Hopefully this indicates the danger of running WEP encryption. Although there was only ONE (detected)  AP running WEP, Rapid7 was able to crack & obtain access to the internal network. It is highly suggested  that the WEP encryption be replaced with WPA managed encryption, similar to the other Acme access  points.   Penetration Test Report    26 | P a g e     Network Survey Phase After successfully completing the attack phase, Rapid7 proceeded to again wardrive the perimeter of ... HotSpotting (MiTM)  1.3 Sniffing  Maintain Access (Optional)  Debriefing (06/27/08) Occurs on‐site. Prepare results in the form of a presentation.   Analysis / Report (06/30/08) Occurs off‐site. Prepare results in form of a final report.   Penetration Test Report    29 | P a g e     8.0 APPENDIX B: ATTACK MODEL Below is the attack model (or attack tree) generated for the assessment. This attack model shows paths ... The results of the preliminary recon are provided below. More information can be obtained by viewing  the XLS file (recon.xls) accompanying the report.  Note: This list was originally provided to Michael via  email. In that email, Shelby and Stanley APs were swapped. This has been corrected.  Penetration Test Report    22 | P a g e     Headquarters - Main Office: • [unknown SSID] - WEP40 (2) • [unknown SSID] - WEP (2) • [unknown... ACMENC – TC_TR_AP ‐  Main Building – WPA/MGD Encryption  After narrowing the possible attack vectors, an attack model (or attack tree) was generated. This attack  tree is included in Appendix C.   Penetration Test Report    24 | P a g e     Attack Phase Rapid7 determined the best attack vector into the network was the open access point, ACME. As  expected, this AP provided full access to the internal Acme network. This vector was quickly disregarded ... MODERATE    One to several days requiring moderate amounts of resources LOW  Less than a day requiring only a minimal amount of resources Penetration Test Report    14 | P a g e     5.4 Findings Matrix This table summarizes the findings documented in this report.  The findings are ordered based  on a weighed score of the severity of the risk and the effort of remediation.  FINDING   DREAD SCORE  REMEDIATION EFFORT ... Penetration Test Report    16 | P a g e     Finding: Open Access Point (ACME) DREAD Score Summary Damage Potential Reproducibility Exploitability Affected Users Discoverability Total Risk Rating 7 10 10 10 7 44 Critical Proof Below are two screenshots depicting connections to the open access point ‘ACME.’ The first screenshot shows airodump and wireshark capturing packets on the network: Penetration Test Report    17 | P