Slashdot Mirror
Detecting 802.11 Discovery Apps
Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications.
Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly
popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.
"
...in their detecting detectors?, or are the detectors detecting only getting detecteed once? anyway you put it that's a lot of detecting detectors and vise versa...
My girlfriend gets pissed anytime I even mention backdoor penetration...
Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?
I just tend to look for the box on the wall plugged into an ethernet cable with the two antennae sticking out of it.
God damn, I love a good arms race.
Are you a coder? Need work? Get involved at the beginning of an arms race such as this one. Employment for years and years. Get involved early enough, and soon you will be an "expert".
Of course, there are more employent opportunities on the defensive side of the race, while the more fun side is the offense.
OK, here's another arms race.
- With this anti-missile missile, we can intercept their missiles!
* But what do we do if they build an anti-anti-missile-missile missile?
- Simple, we build and anti-anti-anti-missile-missile-missile missile.
* Ow...I have a headache.
Please correct me if I got my facts wrong.
Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000
Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...
Rejoice and make war your life:
See Naqoyqatsi
(Na-qoy-qatsi: (nah koy' kahtsee) N. From the Hopi Language.
1. A life of killing each other. 2. War as a way of life. 3.
(Interpreted) Civilized violence.
Don't we have to wait for Discovery to be launched before we can detect its applications?
This whitepaper is published in PDF format, so it must be serious! Unlike those HTML white papers written by script kiddies....
This 802.11 discovery application detection is clearly a victory for the RIAA, MPAA, BSA, and associated subsidies such as AOL/Time-Warner and Microsoft. As all MP3 goonies know, illict data is often served from hacked sites. Wireless at 11Mbps is elusive to the warez community, and by detecting this it may be possible for anti-warez busters to detect warez d00ds on the spot, decloaking their IP-based anonymity due to 802.11's cellular IP range.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
so how do you actually secure the WiFi network.
Lets say I have DSL at my 5th floor apt. in downtown SF - i put a WiFi antennea up so I can roam to the cafe across the street - how do i keep any others off my network? cheaply?
what about forged MAC Addresses? Sure, it's more than the average Wardriver would do to get access, but changing MAC's isn't _that_ hard. But this is a neat white paper though.
Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.
can't detect that, right?
and when they're using info found with it it's too late, right?
better have it secure in the first place..
i got a system like this on my door, if it's busted, i've been robbed.
world was created 5 seconds before this post as it is.
What do you do now?
Go outside and kick ass on the guy with the laptop?
You could sneak up behind him and strangle him with all that extra cat-5 you have lying around now.
A new style of network discovery is available in the linux 2.5 kernel and in 2.4.20. Jean Tourrilhes'
Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.
There is a GTK+ application I have written called AP Radar that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.
The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.
use
ps -ef | grep -i nets...
to determine if you are running one of these applications
I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.
I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.
I did some looking around on Google and found this paper, which briefly covers the subject by suggesting a "security mesh" to prevent unauthorized access to wlans. Anyone with some insight in how [cost] effective this may be, or if there are any other solutions out there?
I would recommend your company invest in Intel's LANDESK Suite, makes it very easy to monitor who is running what. You can have it build reports, or sit and watch suspicious users. It is also a great utility that has saved me lots of waiting for elevators and running up and down flights of stairs. I must have gained at least 10 pounds thanks to LANDESK!
Any WEP based network can be compromised by passively sniffing enough packets. After that initial work, the network is entirely open. At that point, the attacker cannot be detected by any means, yet he can sniff pretty much anything he wants.
That alone is a very good reason to NOT plug a wireless access point to an internal network. If you don't have some sort of firewall between your access point and your internal network, you might be underqualified for your job.
Given that, yes, you can detect freeloaders that are using your access point to surf the net. You cannot really block them, as MAC addys are easy to change. If that's really an issue, have the wireless network connected to nothing BUT your firewall, then force any wireless user to authenticate through the firewall you wisely installed. From there, it's a lot easier to monitor what happens to the firewall.
I guess the detection technique is mostly useful for statistical purposes, as previous posts have mentioned.
What type of cost does this incur? Is it expensive to implement? I always notice that these companies make you pay through the nose for applications like these.
I am currently in an email conversation with LinkSys over the topic of securing a small WLAN that I set up to link my home network to my office (in a house across the street) and ran into a real problem with their WAP11 v2.2 AP's.
With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.
After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:
----------
Dear Mr. Joshua,
Thank you for contacting Linksys Customer Support.
With regard to the problem, can you provide the complete set up of your
network? About WEP, it is advised that you disable WEP keys in your access
point to avoid possible degradation of wireless transmission. The encryption
causes your network to slow down in terms of wireless transmission because
prior to transmission, the data are encrypted and decrypted at the receiving
end. Hence, the result is to slow the efficiency of your data transfer. For
a small network where there aren't much important files to be transferred,
it is advised that WEP keys are disabled.
About the firmware, the access point should have no problem connecting to
one another although they have different firmwares.
Have a nice day!
Sincerely,
Glythel Ria M. Penus
Product Support Representative
Linksys
-----------------------
If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.
So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.
Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?
This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.
The key point of this paper is that you cant detect passive monitoring(RFMON mode), so tools like kismet which usse it are not detectable. The only way to mess with these types of tools is to send out falsified data to confuse that scanner, but this will still not let you detect them.
-- free as in swatantryam - not soujanyam.
In case you don't happen to have a loaded Acrobat (loaded acrobat? don't let him on the high wire!), or if you can't bear to wait for Adobe's disclaimers to load, here's a quick-n-dirty HTML mirror of the .pdf file. Ugly as sin: did it by pasting the text into Notetab and using "convert to HTML".
Yes, it's on Tripod, so beware the popups and banners. Whaddya expect from us skr1pt k1dd13z?
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
That's funny, I'm working on a similar whitepaper: Detecting 802.11 Detector Detectors, to detect people trying to detect people trying to detect 802.11 networks. Including is some sample code to detect the detector detectors, but it seems to get into a nasty infinite loop, and I can't figure out why.
________________________________________________
suwain_2
Looking at wireless over the last two years is just mind boggling. There's no way to stay up to date on the latest security hacks and updates and firmware and make sure your mac addresses are in a database and this and that. It hardly seems worth the effort. Hell it's easier just bringing a spindle of cat6 and wiring up 1000bt or better around with you than deal with the networking mess.
fslg503-985-8686503-985-8686503-985-8686503-985-8
well u could remove the threat completely with the help of a three letter friend.
Large print giveth, and the small print taketh away
in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just stick to secure (ssh, https) protocols and share it?
Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?
Can't get in my wireless home lan...
...cos I gave my laptop to a super-fine chick at work....*sniff* #;^(
Spread the RC luvin'
Isn't sniffing a key component of a wireless network? Why is this something that needs monitoring? What needs monitoring is authentication on the wireless network, not looking for the network.
!@#)@!* mod that up, it's right.
Trace Buster, Buster!
Mirror Hotmail and Yahoo's login pages on a local server and collect passwords. Write 'creative' emails on their behalf to their friends and parents and (potential) employers.
Rewrite stock quotes on the fly...
Write a perl script that will rewrite outgoing POP emails
(s/Regards,/I love you,/g is an old favorite of mine...)
I figure if someone uses my network without asking for permission, I have the right to make them look like an idiot.
Cheers,
Jim
-- My Weblog.
Why?
So I can get the same little icon that tivole
and SMS put on the user's desktop?
I've spent more than 15miniutes with LANDesk, you'd realize just how hard it blowes.
Perhaps also an "intruder meter" with an indicator of the direction and distance from which the intruding signal comes ?
Notepad specialist & FAT administrator, group training available
Forget that socialism crap ... go for anarcho-capitalism
Why would anyone want to know if someone is trying to find his network? What horrendous insecurity may prompt one to waste his time on such a thing? Why not just make the goddamn network secure enough so whoever will run kismet/netstumbler/whatever will simply see that he can't use this network and leave it alone?
Contrary to the popular belief, there indeed is no God.
I've always felt that ./ and anal sex were the only things were living for in life...
-The Originator Of The Pun
If you don't want some joe schmoe stealing bandwidth. thank god to the prolly near infinite layers of lead paint (and any other factors) under all the decent paint on my old victorian house. Makes signals so weak outside you have to be about 3 feet from the outside walls just to do anything. So if some unknown is on my lan, he's prolly in my lawn too......sprinkler time hehehehe....im a total bastidge.
I'm honored you were able to come up with such wit on your own. Did mommy help you?
Oh, I added the second part as an afterthought _after_ I posted the original reply. See, you might have caught that if you weren't busy beating your girlfriend or trying to find a pig to molest.
There is a way of creating a false AP (make sure it is 5 channels away from any AP channel you are using, i.e. if you are using 6, you can use 1 and/or 11). You can then send out random Macs, SSIDs, and whatever else. I think some stumblers will get wise to this so you might need to play more games.
But in short, you can't detect something like Kismet or the Dwep tools, and even if you are using WEP you are probably sending out weak packets, enough that after a few days the key can be obtained.
Wouldn't this paper be in violation of the DMCA?
The threat of unauthorized use of an AP is seriously over rated. Sure WEP can be cracked. But, Airsnort needs between 100 megs and 1 gig of honest data to crack 128-bit WEP. How long is it going to take you to gain that much data at 11 megabits per second? My ever so rough math says that to get a gig of data at 1.375 megabyes per sec (that is the equivilent of 11 megabits right? if not the point is still valid, even if the math is off) says you need about 12 minutes of just data. Try staying in range of an AP that long at 35 mph.
Remember, most of that traffic isn't data, it's beacon frames. Just the AP announcing itself to the world. 128-bit WEP isn't secure enough to do business over. It's not even secure enough to call it encryption. It will, however, keep the average war driver off your network. I usually figure that if they've made an effort to secure the network, I should leave the network alone.
Now, for all those AP's that register as F (factory default), well...those people were asking to have their MAC address added to their AP's banned list.......
There are some people that if they don't know, you can't tell 'em.
Setting asside that ESSID discovery software is inherently passive.
All this fuss and mud slinging over WiFi seems to be missing the point. It is build on an invalid premise. That 'this network' belongs to the AP owner. 802.11.b uses public airspace it does not belong to anybody it belongs to everybody just like the Internet backbone, it is designed to be open, and should remain so. If somebody wishes to use privatly for their secure traffic they should treat it as they would a PVC the net at large.
Accept it is open technology standard and secure their machines and traffic as necessary as they would on the Internet at large. The physical network its self cannot and should not be closed.
The author mentions RFMON type sniffers in his article. While you can't detect the sniffer itself, it is easy to spoof such sniffers with bogus data that an RFMON sniffer can't validate (but an active sniffer can). Such data can be used to encourage the attacker to go active and hack right into a honeypot.
retrorocket.o not found, launch anyway?
It's a duplexer. Although the main components of a duplexer (resonant cavities, as another poster mentioned) are essentially large thick-walled cans. (Except supercheap poor-man's-duplexers made from coffee cans - They exist but they are pretty high-loss)
These are usable in amateur applications because of the fact that repeaters transmit and receive on different frequencies. (Standard offset is 600 kHz in the 2 meter (144-148 MHz) band, 5 MHz in the 70 cm (440 MHz) band). 600 kHz is VERY close spacing at 144 MHz, which is why high-Q resonant cavities are needed, not L/C filters. They are needed because repeaters operate full-duplex (transmitting and receiving at the same time).
Such a thing doesn't exist for WLAN cards because of the fact WLAN devices transmit and receive on the same frequency (but not at the same time.) T/R switching is usually handled by diodes. (A diode, despite what a poster said, WILL block RF if biased properly. But to RF, it's bidirectional, either on both ways or off both ways, depending on the DC potential across the diode) Plus even in the "off" state, they'll leak a bit.
An isolator will allow RF to go in only one direction, while blocking RF going the other direction. These are expensive ($40-50 in quantities of 50+, probably more for one with coaxial connections).
Still, you can put all you want in the antenna feedline to make sure RF goes only one way - The receiver LO is going to leak out of the device housing. It'll be weak, but it'll be there. It'll be a CW signal, which will make it easier to detect despite being weak.
In RFMon mode, you don't need to take any measures to block RF going up the antenna feedline - The card will be stuck in receive mode with the transmitter shut down. Of course, the fact that your card is not transmitting means you can use a simple unidirectional preamp for receive rather than an expensive RF-sensing bidirectional amp. (These switch from receive to transmit when they sense RF coming from the transmitter).
retrorocket.o not found, launch anyway?
Honestly, does nobody understand this? If you are hoping that keeping unauthorized people off of your wireless network will make it secure, you have a serious problem with your network design. The wireless network is just as untrusted as the internet and should be treated as such. Firewall it off and it doesn't really matter who's on it. If you need to access the internal network from the wireless, VPN in. WEP doesn't work as designed so don't even bother using it.
Perhaps some smart lad could come up with a way to filter out connection attempts being made from outside a physical perimeter?
Ahhh....imagine the urban legends;
The connection attempt...it's coming from inside the house!!
What were you expecting?
A statistician, who refused to fly after reading of the alarmingly high
probability that there will be a bomb on any given plane, realized that
the probability of there being two bombs on any given flight is very low.
Now, whenever he flies, he carries a bomb with him.
- this post brought to you by the Automated Last Post Generator...