Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Wireless SSID Enterprise Discovery

Tenable's research group recently released a WMI based plugin for Nessus 3 that can determine the active wireless SSID for remote Windows devices. This allows an organization to obtain a list of active wireless domains for all Windows devices on their network. This blog entry discusses the security and auditing ramifications of this plugin.

Example Report

Below is an example report generated by this Nessus plugin. The SSID of the laptop scanned was "mytestssid".

Synopsis :

It is possible to obtain the active associated wireless SSID of the remote
computer.

Description :

This script uses WMI to obtain the wireless network card and associated SSID
of the remote computer. The remote system must have an active wireless
connection for this detection to occur.

Solution :

Make sure any SSIDs that are discovered comply with corporate policy.

Risk factor :

None

Plugin output :

Network Card Type : Intel(R) PRO/Wireless 3945ABG Network Connection
Network SSID: mytestssid


Why is this useful?

There are two questions answered with this plugin:

  • Do we have any "wired" devices that have also associated with a wireless domain?
  • Which wireless domains are active on our network?

If wireless networks are authorized in your network, then they can be audited with this plugin. Collecting the active wireless domains on each host is very easy when scanning with a credentialed Nessus scan.

The most serious issue is to find a host on your network that has both associated with an external wireless access point and also has an internal "wired" connection. If your offices are near public wireless access points, access points from nearby businesses or even available access points inside your organization, you may have laptops that have a wired link and also be associated with an unauthorized access point. This could bypass your firewall or access control, provide direct access to a system that might not be patched or even expose files and network shares to attackers outside of your network.

If a Windows system is found with an active wireless device, it should also be questioned if this is authorized. Organizations that have an issue with management of mobile devices and networks would find it interesting to get an accurate list of all "SSIDs" in use. This plugin may find new or unauthorized SSIDs in use that your IT organization was unaware of.

Analyzing the Data with the Security Center

Once scans have been completed, the Security Center can easily be used to analyze the data. There are two basic techniques that can be applied - ad hoc analysis and creation of dynamic asset lists based on the detected SSIDs.

For ad hoc analysis, the Security Center can be used to navigate and browse the collected information. The "text" field can be used to highlight any matching systems with known SSIDs. For example, to obtain a list of all systems with an SSID that matched "SSIDTEXT", this would be typed into the text search box and plugin ID #25197 would be searched for as shown below:

Ssid1

All matching hosts can then be sorted by IP address, their MAC address, DNS name or Windows name and then have the entire set of matched data exported in a spread sheet or PDF report.

The Security Center can also use the content from Nessus and Passive Vulnerability Scanner discoveries and audits to create lists of computers based on certain parameters such as open ports, the output of a check and so on. These are known as "dynamic asset lists".

For analysis and reporting of discovered network SSIDs, there are two approaches that can be used:

  • Create a dynamic asset list for each "known" SSID
  • Create a dynamic asset list of "unknown" SSIDs

If you had an SSID of "CORPORATE", you could create a dynamic asset list that looked for the presence of plugin ID #25197 and the content "CORPORATE". If your set of corporate approved SSIDs all had the same sort of root text such as "CORP1", "CORP2", "CORP3" and so on, you may want to consider only testing for the pattern "CORP" or a regular expression of "CORP[0-9]{1,3}".

Once the scans have been completed and asset lists have been created, there are several types of analytics that can be performed such as asking:

  • Are any IP addresses being used on SSIDs which are incorrect? This may provide insight to issues with poorly configured VLANS or DHCP servers. If incorrect IP addresses are being given out, this may also identify an access control issue.
  • Are there any vulnerabilities or open services (such as FTP or P2P) in use on wireless nodes with WEP disabled? For public access, not using the "Wired Equivalence Protocol" is convenient for your guests, but if permanent services reside on those networks, they may be attacked.
  • For critical asset groups such as your financial, human resources, demilitarized zones and so on, do any of their systems make use of wireless nodes? If so, are they authorized and properly secured.

For More Information

This Nessus plugin is currently available to Direct Feed and Security Center customers. Organizations interested in performing active and passive wireless assessments with Tenable technology should consider the following links and resources:

  • Using Nessus to Detect Wireless Access Points - This paper details how Nessus can be used to scan for a variety of web, ftp and SNMP management interfaces for a variety of wireless access point devices.
  • Passive Vulnerability Scanner - the PVS can also be used to sniff management active to/from a wireless access point. In addition, if the access point also has multiple users behind it with NATed IP addresses, the PVS will identify this device.
  • Access Point Detection - Nessus plugin 11026.
  • Asking Vista for its list of Interfaces - This blog entry details plugin #24904 which uses the LLTD protocol to ask Vista OSes for their list of network interfaces and wireless SSIDs.
  • Network Interface Enumeration - Through WMI, Nessus can enumerate the list of active network devices, their assigned IP addresses and available routes on Windows computers.