Slashdot Mirror
Wireless Camouflage?
Anonymous Coward writes "Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables. Fake AP is a proof of concept released under the GPL."
Perhaps the author of this tool forgot to read this:
m l
http://slashdot.org/features/980720/0819202.sht
Won't this kill available bandwidth?
FP, but this is smart. Too bad companies probably won't have the know how and intelligence to put this into affect.
Hed23
Fake breasts?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Kudos!!
* bows to anonymous coward *
In Soviet Russia you dant have to put up with these crappy jokes
So you set up one of these things... How do your devices know what's real?
Couldn't this software also be used to confuse actual end-user's wireless cards that try to find the legitimate AP? Seems like most wireless cards/software would have a hard time finding the real AP if there are 53,000 fake ones to choose from.
hehehehe. THat joke never gets old.
well not to me anyway.
You take the red pill!
Karma whorin' since 1999
Correct me if I'm wrong, but a quick scan through the README doesn't seem to imply it'll do anything more than scream at the top of it's digital lungs with ever-changing AP SSID's.
Isn't that going to completely slaughter your actual AP?
how long before the DMCA starts saying that "counterfit 802.11b hot spots" is like DoS atacks on the WiFi community? I'm sure they'll find somethign wrong with this - even though I think it would be great considering I use an 802.11b wireless connection that sometimes seems to drop its speed when a lot of people are nearby - hhmmm.....
Ave Molech Setting
The have the correct SSID entered in their settings.
to port it to Windows?
I'm not being a prick... But there are a lot of users out there who use WinDoze and this would be another tool in protecting us from those crazy script kiddies...
Oh to be young and under 18 again...
Tournament Management Online &
So I get a list of hundreds of access points. My trusty computer can be programmed to check them all one by one. Only the legit one will respond. I realize this is a bit slower, but I think the number of fake APs needs to be huge to hurt the war drivers.
In fact, I think that the problem with this solution is the amount of effort expended in defense is equal to the amount of effort for the war driver. You've got to have a PC pumping out fake APs constantly. Both radio modems are putting out the same bandwidth. This isn't a good equation for most of us.
Good encryption, on the other hand, takes only a few cycles to do but a gazillion cycles to undo. That's a great ratio of defense to offense.
Plus, don't the fake APs still end up jamming the channel. If you're faking an AP, someone else can't use the channel on that micro second. Given that wardrivers come only occasionally, but the jamming goes on constantly, I think that the legitmate users will pay a big price in network access for something that would only slow war drivers down a bit.
But I may be wrong.
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
So this program creates a whole host of fictional access points? Well, a few points I don't get
How do *you* the correct user, find out which AP is correct?
What keeps the wardriver from doing that?
How does this affect performance?
how does this affect range?
If it doesn't affect either of the two above, then how does it work? It requires, apparently, only one 802.11b card...
Of course, I only run a small wireless network, and I am really not the most technically skilled of people. However, I use whatever security I have (the relatively weak WEP, with a well generated key), and would love having a bit more assurance of network safety.
Anyone who understands this willing to come forwards?
(And not just understanding in principle, i understand their whole schpiel about hiding in plain sight, like an apple in a barrel of apples.)
Is there really such a problem with people mooching off wireless networks?
I mean come on. Is the big problem in todays work environment really that before all the staff can play Quake III on the company LAN someone has to go out and scatter all the hooligans with laptops?
This is cool, don't get me wrong. But if encryption isn't enough, go with the cat5 cable.
Anyone who cannot cope with mathematics is not fully human. At best he is a tolerable subhuman who has learned to we
Pretty much everything on the site is included in the submission. Fairly amusing... anyone tried this? How about a full report on it's usage in a heavy wardriven area like downtown Chicago or San Francisco?
put the what in the where?
That has got to be one of the coolest things I've seen. The article is a lil short on details but this reminds of the article on LeBrea. the software to mire the MS worms....
This is pretty innovative.....sorry just my 2 cents.
Vote early. Vote often. Vote CowboyNeal.
It won't work! Of the 50,000 AP's you just need to find the one called tsunami.
that doesn't eat up bandwidth on your network, is to simply disable beacons on your AP. Having thousands of beacons sent makes it fairly obvious that there's an actual AP somewhere in the area, and there are other ways to determine the real network name.
Admittedly, not all AP's allow beacons to be disabled. But then, Kismet doesn't need them at all to detect networks.
Let's hope that this concept is never applied to physical security. Imagine working in an office/cubicle with 32 keyboards and 64 mice, rj45 and rj11 jacks everwhere, throw in some extra pc cases to fill every inch under your desk -- with only one of each that actually works
First, uncloaking networks. Then, invisible cloaks. Now, cloaking networks.
Next thing you know, we'll see a post about the invention of visible cloaks.
Good judgment comes from experience.
Experience comes from bad judgment.
...every time somebody goes on a silly hackers witchhunt. Been asking for a long time!
Not everyone accessing wireless networks is bad. Nor is everyone even doing it intentionally. I, for one, having accidently coming across an insecure wireless LAN, will do everything in my power to attempt to notify the owner and tell him to secure it. Given fake access points, this will only create more insecure wireless LANs because nobody will want to report insecure ones to the owners.
This won't do anything to hide an active network, people will just look at the data traffic instead of the beacons.
So, we have a story submitted by an AC, linking to a site with very little information on it. Mayhaps the AC was the site operator?
Now, how does this generate all the frames? Does it require the 802.11 interface to be on the Linux box, or does it manage to send the data to the interface as normal packets. In other words, if I am using one of the Linksys router/802.11 boxes, can I run this on my normal Linux box, or do I need to hack the Linksys to run Linux?
And what is the effect on throughput? Any time the system is sending a fake frame, that is time it cannot be sending real data.
www.eFax.com are spammers
This is like painting your house the same color as the hill behind it, or better yet, using mirrors to create a bunch of fake reflections of houses. Not using encryption over wireless is akin to having no key-lock on the front door. Obscuring your house does little to keep someone from taking your precious collection of Atari 2600 cartridges.
Error: PANTS NOT FOUND. Press <F1> to continue.
Because you *should* know what your SSID is. Your correctly configured device will have no problem making a connection, but some 3viL Hax0r will have a hell of a time connecting.
Michael Loves Me!
party line for all of us was to mock security-through-obscurity. Did I miss a memo?
Oh, I see. It runs on Linux. Never mind. Carry on and sing praises to it.
The packets that announce an AP consume a tiny fraction of your available bandwidth. There should not be a noticable drop in bandwidth.
Michael Loves Me!
As a wardriver, I think that this would definatly confuse and annoy anyone driving around.
However I've noticed that companies with wireless AP's tend to be in clusters in close vicinity to each other. I'm just wondering what the effects on the persons neighboor would be. I could just see someone running this and just confusing the hell out of his neighboors. It would be even worse if the fake broadcasts were on different channels, then there would be real chaos with legit users.
Fun to play with, but not practical for production since a determined attacker would wade through the data to get your real SSID
Just my $0.02
Where are we going, and why are we in this hand cart?
click me
It seems to work very well and would foil would-be wardrivers.
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
This is absolute retardness. I mean it.
If you can't secure your own network, why are you being a pest to other networks around you? This tool would hinder other legit network users of other networks close to this. This is a nightmare... the tool itself could be classified as virus or worse.
... fake pussy!!
How's this different from security through obscurity? Why's everybody finding it so cool?
Am I the only one who saw this and thought of Starbucks?
:-)
no sig.
This sounds more interesting to me. I have no closely looked at the exploitation of WEP to see if introduces a low level (~1%) of improperly encrypted packets would cause problems or not. My guess is that it would, although you would have to be careful that the false encryptions were subtly wrong. What I do not know if how much harder it would make it. Perhaps more important, I do not know how possible it is to do with commercial cards.
Of course, the much better solution would be if encryption was used properly by wireless networks. If you add a good key management system, it might even be usable (a globally shared key is just not a good idea). Many people are working on these, of course. Of course, it does not matter how good your encryption is if people do not use it.
Ummm, no.
That's probably its achilles heal. If you measure which AP point has the most traffic, you've blown past any illusion of security this gives you.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"The messaging of WEP security associations within the 802.11 mac spec is performed in the clear by passing challenge texts and responses around.
So just compile a list of all the APs you see and listen out for a good security association. From this you can devine the real AP.
With the proposed enhanced security mechanisms (TKIP & AES) the encryption similarly is not turned on until a security association (based on 802.1x) is completed. You can see this happen on the air and you can see which AP is being communicated with.
For this to work well you might need to also fake lots of good security associations to all the fake APs that are beaconing.
I see this is a poor mechanism. It is security through obscurity. It can be circumvented and the beacons suck away bandwith.
TKIP is the way to go.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
but where there is smoke, there is fire.
This will just prove that there is, in fact, an AP to look for but it will require some work.
If this becomes popular look for wardialers for wardrivers.
For anyone who doesnt know: http://www.webopedia.com/TERM/S/SSID.html
You still need a secure authentication b/c the ssid can be sniffed. What solutions are there for this prob?
why run from Vincenzo?
While I was at defconX, I fired up kismet at one point, and started see lots of APs. It turns out that the folks sitting behind me had been from Black Alchemy, playing with this neato tool. I personally saw about 600 APs/minute with this tool under kismet, and they had lots of dumb windows clients trying to associate with them. With some tuning, I'm sure they could get the number of APs per second to increase (They may have done this by the time of release).
:)
It was good stuff, and I ended up getting my name in the credits.
Whadda mean no?
This was my first post to Slashdot (I've been a lurker for years). And it was the first post (Ooo... wow =P)! So feh!
Anywho, I was just joking around in the first place. Just as I am now. =)
And how'd I get a Troll mod? What am I trolling for?
Caio baby!
It made me think, say you have an "evil enemy" company, or wait.. a corporation (it sounds more evil somehow) which is stealing all your hard earned profits. All you have to do is get a car with a couple of nice antennas (if you want to do it nice, but perhaps you won't even need it) and a couple of laptops and park it close to their office. Then you intercept the channel and ssid of their wlan, and you start to flood it with a lot of random packets using their channel and ssid. That's going to be more than a little annoying then, perhaps to the point that some people would even call it a DOS attack right?
Now, I don't think such a thing is illegal or is it?
Come on! They idea is for them not to notice, and set up a barrier if they do. Not for you to set up a red light district.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
One point that has been missed thus far is this: FakeAP generates random ESSIDs at a default rate of 0.25 second. All one would have to do is watch for the beacon from a solid ESSID that comes in at a regular interval -- can we say simple perl/bash scripting?
The only way FakeAP can do any good is to give it a static ESSID, and a time interval equal to that of the real AP -- and even then, it would take one instance of FakeAP in it's current form to imitate one real AP.
With some modifications FakeAP may be slightly useful in preventing unwanted/unmitigated access to wireless APs, but only when it can masquerade undetected to the would-be "hacker."
Fine, We will sniff for probe packets then.
Which makes this whole thing pretty pointless. If you don't want people to 'netstumble' you, don't beacon and pick some obscure (non dictionary) name for your ssid. Sheesh.
If you're smart enough and technically inclined enough to have a RedHat linux box to run this program on why not just run FreeRadius instead? It would seem to me that it would be better just to have a good authentication protocol and real security rather than just splatter crap all over the radio instead.
Someone living near me uses his (her?) last name followed by "ssid" as they ssid.
Which means I now know(to a high degree), without even checking signal levels which house has the UNENCRYPTED access point.
If you actually download it and look at it, you'll realize it's just a Perl script. Basically what it does is configure your laptop to be a real, functioning, access point. Every quarter second it reconfigures the card with a random MAC address and one of a handful of well-known SSID's such a "tsunami" and "linksys". Which means if you run this near any poor sap who happened to leave his card in it's default configuration, they'll be screwed as they continuously associate with your non-functioning access point.
Basically, I can't imagine this being effective at all against war-driving. But I can imagine it being quite effective as a DoS tool. Imagine setting it up with the SSID that Starbucks uses and walking into one of their shops with this. You could have half the customers futily trying to connect to the legitimate service but getting your non-connected and continously resetting "AP" instead. It would be easy enough for this "tool" to configure the card so that clients couldn't accidentally connect to it, by enabling WEP or MAC filtering or whatever. But it doesn't do that, or even try to. I understand it's version 0.2, but at this point I think it should be filed under "trojan horse" or "skript kiddie" given that it'll easily screw up legitimate users while doing basically nothing to protect you from any crackers around.
As others have pointed out, war driving gets old quick.
But anyone who goes to the trouble of trying to obfuscate their AP? Why, they are interesting!
They will get tracked down and potentially messed with. If for no other reason than "who's the Linux dude in my neighborhood".
I still think it is a neat hack.
How about streaming banner adds to the war drivers via the SSID? "EAT AT JOES. WWW.. BIG.. PORN.. NET.. MAKE.. MONEY.. FAST.. GREENCARD.. LAWYER.."
You configure it to talk to your WAP.
This product works a lot like a flare that is used to distract missiles or other military ECM. It's meant more as a distraction. I am surprised someone didn't come up with this idea before now.
I think the point is that it will waste the potential intruder's time - not that it will totally secure your network. If the potential intruder WANTS to get in, he/she will get in eventually. This is to confuse someone trying to just do a drive by hit.
Then again, there is no stopping luck - what if the person hits on the right access point the first time?
I haven't seen any studies on wireless where people are finding Wireless AP's with the "Broadcast SSID" turned off (NetStumber can't find WAP's if you have the "Broadcast SSID" turned off)and MAC security enabled (you can clone a MAC address but you have to have a card that can do this function). If you are going to run a Wireless AP, why would you let any MAC hook into your system and why would you broadcast your wireless AP? Ok, you might have some clueless users who don't know how to configure their laptops and yes, it is a pain in the ass to have to distribute the SSID and the encryption Network key to everyone but why would you make it that much easier for an intruder?
If you have a WAP that doesn't let you turn off the broadcasting of the SSID, why don't you research into either flashing the firmware to enable this feature or buying one that does let you do that? They aren't that expensive anymore.
e. Faust
I thought 802.11b was covered under Part 15 of the FCC rules. Doesn't this violate them by purposely generating interference?
Putting moderation advice in your
is with one of these: Barrett
Good luck... Michael will never admit he's wrong.
All 802.11b devices are constantly scanning the airwaves broadcasting clutter like this anyways. All it would take to stop the netstumblers is to filter out all of the nonsense ever-changing signals being generated by this program. I would guess if this thing only changes the SSID it would not stop the wardriver from picking out the rogue MAC address and ignoring everything coming from that MAC address, thus defeating the entire purpose of this program. Surely the author doesn't change the MAC address of his Prism card every single time he changes the SSID or WAP name...
If you don't want people using your network, require authentication. This doesn't protect you from a genuine "intrusion attempt" at all, and will stomp on the community wireless networks around you. I operate open access points at home and at work. Both my employer and my ISP (speakeasy.net) approve. I would be mightily pissed off if some asshole decided to fill the local SSID space with noise just to obfuscate his insecure network instead of closing it properly.
Ok, a flaimbait subject, but get off your horse. It is a tool for FUN. Personally, I plan on using it to cause wardrivers to drive off 128 as their laptop goes bonkers in the front seat (128 is a main commuter parking lot around Boston for those not lucky enough to live there). Should be FUN!
that would be a "heel". Heal being the opposite of the intent of the term.
As for using the real traffic, now you're shifting from electronic countermeasures to signal intelligence. The standard way to hide valid signal traffic is to send lots of fake signal traffic. So someone will add a fake-traffic-generator to the mix.
Also note that if the purpose is to block outsiders from listening in, the noise might be transmitted from an outside antenna. So the camouflage traffic might not be heard well inside the building, while an outsider would have to deal with that obvious distraction.
There could also be an inside fake AP with different behavior -- it might even allow connections and sound an alarm or do other IDS functions. The outer shield would help reduce inner intrusions, which makes odd behavior in the work area of more interest than otherwise.
Heh.. A honeypot could also broadcast with the real AP but respond to wrong WEPs. So finding the right AP is not enough, you also have to use the right WEP key to connect to the real AP. The fake AP needs an antenna away from the real one so real clients won't try to connect to the wrong one... for that matter, fake client traffic can be provided...
I installed it and have it running. It's pretty cool and I can see how it can confuse wardrivers. Tomorrow I'm going to setup a few more of these at work and set them on the 24th floor of our building in downtown Chicago. hehehe
;)
Oh, and it does work with WEP. iwconfig is nice
so each 'time period' the AP is sending out the one real SSID, and a whole bunch of random SSIDs. So after a few time periods you can build up a collection of different SSIDs - one of which will be seen significantly more than all the rest: this is the real SSID.
mm
As has been pointed out in other replies to this story:
it's easy to sniff for data traffic and thus ignore the fake access points,
this is a useful DoS tool more than a way of securing networks.
Seems to me that as long as network admins, users or Jo-average-computer-at-home-user keeps thinking of 802.11 kit as a "alternative to wires", we'll be stuck with all the security problems. Wireless = broadcast. That will inevitably involve sending your data out to anyone who cares to set up an antenna and kit to recieve it. You trade the convenience of not having to run wires for the insecurity of broadcasting your bits to the world. Anyway, given that this unpleasantly insecure technology is spreading worldwide, it's interesting to see this article at CNet about small, cheap 802.11 chipsets destined for set-top boxes. I contentedly predict that in a couple of years there'll be scares about wardrivers sniffing what people are watching on their wireless TVs :)
Anna B
...Would be trying to avoid venereal disease by dumping condoms all over the place hoping that one of them will land on your penis. ...Or mabie not. I don't think STDs and wireless networking can be directly compared... -_-
A user of this tool sits in an airport, closes his laptop in such a way that it runs when the laptop is closed. Suddenly nobody has wireless access.
Sounds like a terrorist activity if you ask me.
At which point you start loving some of the wireless vendors who do not have this setting easily available. You love the older linux Prism drivers even more. The only love that shines greater is the love to driver authors who always scan for all APs before offering you a choice and overflow a fixed limit in the dialogs (there is one like that out there).
To be continued ad naseum... Grghh....
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
You can use IPSec on your gateway to prevent random people from using your gateway. Real security also has all kinds of side benefits, such as actually having reasonable assurances of security.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
This might slow down wireless intruders, but not stop them ... ... Now if we where to come up with a package that makes a computer pretend it was an open relay we would be set.
;-) A spammer finds what he thinks is a open relay and all it does is send his junk to /dev/null.
...
Imagine a BeoWolf cluster of these
If everyone did this, we would raise the cost of spamming. It will not stop spammers, but it will make them have to check if the relay is actually working by spamming themselves. Nice little breadcrumb trail, no more bulk sending blind
TastesLikeHerringFlavoredChicken
We should stop this attitude in its tracks, it is a selfish and irresponsible waste of bandwidth.
1) WarChalking &| WarDriving are not crimes, the bands used by 802.11 are *public airspace* they belong to *everyone* not *anyone*.
2) The vast majority of 802.11 access points are still expermental and like the early days of the Web are *supposed* to be *free* to use by responsible early adopters.
3) If your AP is not intended for public use, it is it's owners responsibility to secure it.
Just because something is public does not mean that rules do not apply to this public space. A park is a public space but there are rules about how you can use it, the unlicensed spectrum used by 802.11b is available for anyone to use but you are still required to follow FCC regulations regarding how you operate within this spectrum. There are rules that dictate how your wireless card operates, how much power it can put into it's signal, etc.
In fact, it might be wise of you to consider this in terms of another user of this particular segment of the spectrum -- cordless phones operating at 2.4 GHz. The signal goes out over the same unlicensed spectrum band, but if you were to create a base station which prevented your neighbors from using their cordless phone handsets (even if it was accidental) you could be fined for violating the FCC rules regarding this slice of the spectrum. If you were to monitor and record a transmission between the base station and remote node you would be breaking the law. If you created a phone handset that masqueraded as your neighbors handset and used his phone base station (and phone line) for your calls you would be breaking the law. Both offenses can bring stiff fines and jail terms, something that aggressive wardrivers and 802.11b access point "borrowers" might want to keep in mind...
This tool is essentially conducting an Area DOS attack against peer 802.11 services.
You seem to be missunderstanding my position. I am AGAINST this tool.
You also seem to be making incorrect assumptions about what WarChalking &| WarDriving are about, it is no more about cracking than hacking is. The majority of people doing these are the very people trying to develop invovative uses of the technology.
I suggest your persue this site: http://www.wardrivingisnotacrime.com/
spectrum used by 802.11b is available for anyone to use but you are still required to follow FCC regulations regarding how you operate within this spectrum
I agree. Though the author of this tool clearly does not. It is essentially an area denial of service attack for 802.11, filling the spectrum with invalid SSID's. This is akin to seeding local DNS servers with invalid domains, are worse hijacking popular domains. I am sure that the FCC would consider that abuse. I know the UK's Radio Communication Agency would.
but if you were to create a base station which prevented your neighbors from using [...]
I am not doing that, though anybody using this tool would be.
I like reading all the opinions written by people on /. who have no clue about anything other than video games and who comment about software they have never used.
/. opinion would be worth something.
Fake AP does not DOS anyone. I'm using it on one machine with three instances of Fake AP running using three WMP11 cards and it does not interfere with my real wireless lan.
I think most of the comments here are from wardrivers who are upset that someone has finally done something about their activity.
Before you try to form an opinion about software try using it first so that you will understand how it works. Once you know what it does and what it does not do then your