Open network segments are usually used for guest access for visitors to an organization to access the internet. As a consequence, open network attacks are typically restricted to captive portal checking (bypass, user enumeration, etc), wireless client isolation testing, and infrastructure testing since clients on the network do not usually belong to the target organization. Where guest access is provided, the network is not expected to provide any protection or privacy for connected clients.
In the rare case that an open network segment is provided for access to the corporate network, it will be useful to perform passive traffic analysis to determine whether sensitive corporate information can be observed as a result of the lack of encryption.
Procedure
Passive Traffic Analysis
Open wireless networks do not encrypt network traffic when it is transmitted over the air. As a result, any wireless monitoring device within range (which can be a considerable distance, depending on the antenna used), can intercept and analyze network traffic. Connected clients must rely on the service in use providing confidentiality through transport or session layer encryption support.
-
Use a passive analysis tool to identify an open network SSID and channel combination with actively transmitting clients.
-
Configure the passive analysis tool to record network traffic associated with the SSID and channel combination discovered above.
-
If necessary, convert the recorded traffic to pcap or pcapng format. Where collection is performed using Kismet, the following command can be used to convert the Kismet log to pcapng format.
kismetdb_to_pcap --in [targeted Kismet log] --out [pcap filename].pcapng -
Open the collected network traffic using the Wireshark network protocol analyzer.
-
Navigate to the Statistics > Protocol Hierarchy menu item and investigate the composition of the packet capture file.
-
Investigate any cleartext protocol conversations for sensitive information.
-
Repeat as necessary.
Note: This check can be used to demonstrate impact, but is generally unnecessary, given that open networks are widely known to provide no privacy and should be considered risky.
Wireless Client Isolation Testing
Infrastructure Checking
Captive Portal Checking
The captive portal on an open network is typically used to limit guest access to the network and force users to accept the organization’s Acceptable Use Policy (AUP). Demonstration of captive portal bypass is generally low-risk, unless the open network is being used for corporate access in some manner. On guest network segments, this activity has a lower priority than other attacks.