• Using AirMagnet WiFi Analyzer for security assessments

    10 Mar 2009

    While I’m on a roll testing out the latest security tools (can you tell I’m finally getting caught up on things?!) I wanted to write the follow-up to this previous post I promised regarding AirMagnet’s wireless network analyzer (now dubbed WiFi Analyzer).

    I’ve been using WiFi Analyzer for years…it now supports 802.11n for those of you on the “bleeding edge” and it even has some automated security checks for “n”. As long as you use one of their supported wireless NICs, you can have it up and running in a minute or two. One noticeable difference is the tweaks they’ve made to the user interface. I like how’s it laid out – everything’s within a click or two. It also has some nice reporting features if you need that for compliance purposes – something you’re not going to see much of with the open source wireless tools.

    In the context of security testing you can use a tool such as this to find rogue devices in your environment….even ones that are not using supported encryption methods. The scanner’s main interface is shown in the following screenshot:
    ….Keep in mind that the longer you let a scanner such as this run in your environment the more data it’ll capture on wireless hosts and the better off you’ll be. Recently after letting it run for about 30 minutes and it had found 10-15 wireless devices….after a few days, it uncovered several dozen. It’s the nature of wireless – who’s broadcasting/advertising when – and so on…so be patient.

    You can use WiFi Analyzer Pro to hunt down rogue devices with it’s Find tool that uses signal and noise meters to show you when you’re getting “hot” or “cold” in your search as shown in the following screenshot:
    For open APs, you can use WiFi Analyzer to associate with them, grab an IP address, and peform basic pings as well as Internet lookups – things you have to do the old-fashioned way (within the OS) otherwise. The Connection Test tool is shown in the following screenshot:
    The scanner will also grab SSIDs that workstations have associated with in the past as shown the following screenshot:
    These wireless associations can be very telling…showing you where users have been and whether or not they’re violating your remote access, travel, and wireless security policies. Good ammo if you’re trying to sell management on policies, wireless IPS, etc.

    Whether you support wireless or not, odds are you have it. And AirMagnet’s WiFi Analyzer is yet another tool to add to security toolbox.