CWSP Exam Objectives
Last Post: March 26, 2006:
-
You are right about the Wi-Foo book being focused on Linux and BSD. Wi-Foo is an excellent primer on wireless network vulnerabilities and penetration testing. While Gast's book is an excellent choice for understanding the 802.11 technology, it also includes some good material regarding the security aspects that are required by wireless security engineers.
You made me curious as to whether the combination of these two books along with access to the 802.11i standard and other documents would provide enough background to prepare for the CWSP exam. So I pulled out my beat-up copies of both books, printed out a fresh copy of the CWSP 2006 Exam Objectives, and started comparing.
Environment
As you mentioned, the CWSP exam is vendor neutral and as such you will not be expected to be familiar with any one particular operating system or set of security applications over another. However, your choice of Operating System will determine what tools are available for you to use.
For CWSP prep, you can work in whatever environment you feel most comfortable with or you may wish to jump from one to another. The important thing is to understand the concepts that the objectives are trying to convey.
I believe that Linux offers the most freeware applications, and generally speaking, they are the most versatile of all the 802.11 security tools. But they are also the most difficult and temperamental to stage and operate correctly. I have been able to successfully use most of the examples in the Wi-Foo book and have found those tools to be extremely powerful for demonstrations and penetration testing projects. In order to succeed with those examples you will need to pay special attention during Wi-Foo Chapter 4. Make sure that you get all of the suggested Linux drivers (PCMCIA-CS, Linux-WLAN-NG, Host AP, AirJack, and Mad WiFi for dot11G/A) working with your wireless card(s) before proceeding to compile and run the security applications. Then make sure you can switch back and forth between the drivers, easily. The tools listed in Wi-Foo were designed for 802.11B. You might be able to get them to run on 802.11G/A cards by using the Mad WiFi drivers for Atheros chipsets.
Be sure to use the exact version of the application that is listed in Wi-Foo if you expect to be able to follow the instructions step-by-step. Many of these applications have newer versions that may not work exactly the same as the way they are documented in Wi-Foo.
If this seems daunting, you can get the nearly the same benefits by using less demanding applications and OS's. For instance, Apple Mac system 10 is based on BSD and many of the BSD examples in Wi-Foo are readily available for painless installation and operation on the MAC.
Another choice is the Auditor Security Collection, which is a set of pre-configured Linux security applications (drivers and all) that you can download freely (http://www.remote-exploit.org/index.php/Auditor_main) and burn to a self-booting CD. I have found that Auditor boots correctly on many different models of laptop but not on all of them. If you are not able to get Auditor to boot, there is another good bootable Linux security collection called Knoppix STD (Security Tools Distribution). It can be found at http://www.knoppix-std.org/. One of these two bootable Linux OS's should work with your laptop.
If you prefer to work in a Windows environment you can find enough good, free utilities to allow you to test many of the examples needed to understand the objectives of the CWSP exam.
Objective 1.0 - WLAN Discovery
For Linux use Kismet
For Mac use KisMac
For Windows Use NetStumbler
Check out http://www.wigle.net/ which is an online database of 5 million WiFi Access Points that have been mapped during the annual World Wide War Drive contests. It's interesting to see if your location is listed there for the world to see.
Objective 2.0 - Network Attacks
Linux has the most attack applications. Use the tools in Wi-Foo Chapter 6 to test all of the vulnerabilities referenced in Objectives 2.1 and 2.2.
This is where Windows has the least number of security applications to help you. You may be able to find the old Prism Test Utility out on the web. With that and a suitable 802.11B card you can run the Queensland DoS attack. Also with Windows you can break WEP with AirCrack, and recover weak passphrases from WPA/WPA2 Personal using coWPAtty. If you have WildPackets AiroPeek (there's a free time-constrained trial version at http://www.wildpackets.com/support/downloads) you can recover MS-CHAP-v2 hashed passwords from PPTP and Cisco LEAP using ASLEAP.
For simple frame captures and eavesdropping on Linux, just use tcpdump but for full-blown protocol analysis on Linux use Ethereal.
Ethereal is also available for Windows but on the versions I have tested I was never able to decode the management and control frames which are extremely important for identifying and pre-analyzing a target WLAN. Unless that has changed, I'd recommend that you use a commercial PA with Windows. AiroPeek and the others, while expensive, are good investments for your future professional toolkit. If you could only purchase one $3000+/- WLAN tool, I'd recommend AirMagnet Laptop Analyzer. It contains a pretty decent PA as well as many other useful built-in tools. You get a lot of functionality for your money with AirMagnet. Another good alternative for a full-blown, commercial
Windows PA would be CommView for WiFi. This program is much less expensive than most of the others and it has two additional modes that are helpful for preparing for CWSP that are not typically found in the other Windows Protocol Analyzers. CommView for WiFi has a built-in Frame Generator and it also has the ability to capture and reconstruct live TCP sessions. Be very careful how you use these two utilities as there may be legal issues.
Objective 3.0 - Network Monitoring
The first two CWSP objectives comprise 25% of the exam. Objective 3.0 - Network Monitoring, accounts for 25% by itself.
Once again, using Wi-Foo and Linux you can test all of the Objective 3.0 scenarios using free applications. For WIPS try setting up a server-based, distributed, Kismet WIDS system, or for an out-of-the-box deployment try WIDZ (p. 448) or wIDS (p. 449). wIDS will also allow you to re-route your wireless traffic to a higher layer IDS system such as Snort. Snort is a free, Linux-based intrusion detection engine. Don't mistake Snort the IDS with AirSnort the WEP cracker).
I can't think of any free, Windows-based WIDS/WIPS systems. Maybe someone else can.
Objective 4.0 - Security Solutions
This section accounts for 40%.
Wi-Foo and M. Gast's "802.11 Wireless Networks" are very good books but they are a bit outdated. Nearly all of the wireless vulnerabilities referred to in those books can be remediated by enabling proper, 802.11i security mechanisms. The exceptions to that statement would be RF- and protocol-based Denial-of-Service attacks and Rogue AP insertions on the backbone network. Nothing can be done about the DoS attacks except to use a WIDS/WIPS to seek and remove the intruder. The only thing that can prevent Rogue AP insertions is physical security and the use of 802.1X on the wired network. It's true that coWPAtty can be used to recover passphrases from WPA/WPA2 Personal, but only if weak (short) passphrases were used. If used correctly WPA/WPA2 Personal (Passphrase/Pre-Shared Key) provides sufficient confidentiality for WLAN usage.
So, concentrate on understanding what is needed to enable WPA/WPA2 correctly, how to use a WIPS, and be sure to have a complete understanding of Confidentiality, Integrity, and Authentication as used in 802.11. Wi-Foo Chapter 10 is a good overview of this and Gast's Chapters 5 and 6 are also valuable to this objective. Wi-Foo chapters 11 and 12 are fascinating but are overkill for CWSP. You should understand how TKIP fixes WEP, how CCMP with AES works and replaces RC4, what the problems were with 802.11's original ICV and how Michael and CCMP have fixed that.
You should also know the details and differences of the major EAP types used in 802.11. Since you have the old CWSP study guide you can use it to refer to Kerberos, RBAC, and secure applications (HTTPS, SSL, etc). Wi-Foo has basic LDAP coverage in Chapter 13 and VPN information in Chapter 14. Be sure to try setting up a VPN if you haven't done that previously.
If you have been networking for some time you will already be familiar with network security and authentication practices. If not, you will want to review the following
standards:
IEEE std 802.1X-2004
IETF RFC 2865 - RADIUS
IETF RFC 2284 - PPP Extensible Authentication Protocol
To try RADIUS and 802.1X/EAP with Linux you can set-up FreeRADIUS. To create the digital certificates you'll need to install a certificate authority using OpenSSL and the scripts listed in Wi-Foo on page 342.
For Windows (if you have access to Windows 200X Server), you can use IAS for RADIUS and the free Certificate Authority included with the MS Server products.
Understanding the origins of the dynamic keys used in 802.11i is important. Read the IEEE 802.11i standard completely. This can be confusing though so be sure to also read the "chicken" whitepaper (?¡é?€??802.11i Authentication and Key Management (AKM)?¡é?€?? by Devin Akin May 2005) to better understand the RSN 4-way handshake.
Some of the topics under 4.15 are covered in the old CWSP study guide. The rest you will have to dig up from the Wi-Fi Alliance web site (http://www.wi-fi.org/) and from various wireless vendor sites. Be careful to differentiate vendor proprietary terms and technologies from standardized practices, though.
Objective 5.0 - Security Policy
This was well covered in the old CWSP study guide. There is some Security Policy coverage in Wi-Foo Chapter 10. You can also find more information on this topic at http://www.sans.org/ . In addition, the National Institute of Standards and Technology has a very good whitepaper containing checklists and best practices for Wireless
Network Security, called NIST Special Publication 800-48 which can be found at http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.
Summary
Many people have the skills and determination required to self-study and successfully prepare to pass a certification exam on their own. I think that by using the books you have selected, and with the addition of various vendor whitepapers and industry standards documents, you will be exposed to all the topics necessary to pass the CWSP exam. But, these books and documents can only open the door for you to step through and explore. It is up to you to research, verify, update, and generally follow the clues in order to make sure you fully understand the current state-of-the-science before you attempt to challenge the exam.
But I agree with Compughter, that it will be worth the effort even if you don't make it the first try.
Murph
- 1