Detecting 802.11 Discovery Apps

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

Physically positioning the intruder

[jki]

Your article was an interesting read. But what I would like to add is that it might be theoritically possible to physically position the intruder - especially, if you have made specific preparations for it (by placing a few extra access points as radars to do the triangle-mapping thing). You could use a tool like procycle to do it for example. Then just dispatch your favorite security guard Igor and Vasili and let them do the rest :) Here's a clip from the Procycle page:

Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000

Not necessarily possible?

Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...

Re:Not necessarily possible?

[Lumpy]

it's commonly called a can, and yes repeaters use them. 900mhz and 1.2Ghz cans can be bought for peanuts at hamfests, while I wonder if a 2.4ghz can is available let alone possible to tune with anything but a full service rf shop.

the point is that with a recieve preamp and a diode I can reduce the exciter's output to the point that you would either need a 900db gain antenna or be in my back pocket to detect it.

I used to work at a Radar detector plant that designed radar detectors that were guarenteed not detectable. 90% of the work is making the thing RF tight in the first place... most consumer grade equipment is so crappily made they leak like wet paper bags full of melting jello.

anyone interested in attacking an access point in such a manner will do it undetected until they strike, no matter what measures the target takes..

It's simple spy vs spy stuff... been hashed over for decades....

Re:Ok, so you've detected an intrusion...

[amlutias]

well, if you're using HostAP, you could theoretically build up a dynamic defense that would mac filter and force disassociation (if an association was attempted) of any station detected to be scanning. you could do similar things with embedded devices and licensed firmware, i'm sure.

What are the security guards going to do?

[upper]

If the intruder is sitting behind the dumpster typing on his laptop, and it's the middle of the night, then your security guards have a number of courses of action that could be quite effective. But if he's in a busy starbucks, appearing to mind his own business, what can the security guard practically do?

I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.

I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.

Detection is a reality now, but defense?

[Adam9]

I did some looking around on Google and found this paper, which briefly covers the subject by suggesting a "security mesh" to prevent unauthorized access to wlans. Anyone with some insight in how [cost] effective this may be, or if there are any other solutions out there?

hopeless

[metalpet]

Any WEP based network can be compromised by passively sniffing enough packets. After that initial work, the network is entirely open. At that point, the attacker cannot be detected by any means, yet he can sniff pretty much anything he wants.

That alone is a very good reason to NOT plug a wireless access point to an internal network. If you don't have some sort of firewall between your access point and your internal network, you might be underqualified for your job.

Given that, yes, you can detect freeloaders that are using your access point to surf the net. You cannot really block them, as MAC addys are easy to change. If that's really an issue, have the wireless network connected to nothing BUT your firewall, then force any wireless user to authenticate through the firewall you wisely installed. From there, it's a lot easier to monitor what happens to the firewall.

I guess the detection technique is mostly useful for statistical purposes, as previous posts have mentioned.

[preaching] share the bandwidth!

[mocktor]

in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just stick to secure (ssh, https) protocols and share it?

Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?

Re:Wrong approach

[kwerle]

Most of the geeks that fall into the "dubious social behavior" group fit into the jerk catagory, not the asshole catagory. My wireless is outside my firewall, and I VPN my connection. This is great because it also means that I can go wireless (or even cabled) anywhere and not worry about someone sniffing my traffic.

If some geek passes by and wants to use some bandwidth, that's great. If it starts to happen a lot, I'll try to find them and work something out. With some luck, this happens 2-4 times, and we all agree to pitch in to get more bandwidth!

Why?

[Alex+Belits]

Why would anyone want to know if someone is trying to find his network? What horrendous insecurity may prompt one to waste his time on such a thing? Why not just make the goddamn network secure enough so whoever will run kismet/netstumbler/whatever will simply see that he can't use this network and leave it alone?

Wireless security in one word.

[Darth_brooks]

Slingshot (or wristrocket depending on where you grew up)! Think about it. The person associated to your network has to be within 100 meters. Realistically, more like 35-50 meters if there's a wall / window / thin sheet of newsprint between him and the AP. Paint balls, small water balloons, or .50 caliber ball berings aimed at that delicate LCD screen can make your network truly safe!

The threat of unauthorized use of an AP is seriously over rated. Sure WEP can be cracked. But, Airsnort needs between 100 megs and 1 gig of honest data to crack 128-bit WEP. How long is it going to take you to gain that much data at 11 megabits per second? My ever so rough math says that to get a gig of data at 1.375 megabyes per sec (that is the equivilent of 11 megabits right? if not the point is still valid, even if the math is off) says you need about 12 minutes of just data. Try staying in range of an AP that long at 35 mph.

Remember, most of that traffic isn't data, it's beacon frames. Just the AP announcing itself to the world. 128-bit WEP isn't secure enough to do business over. It's not even secure enough to call it encryption. It will, however, keep the average war driver off your network. I usually figure that if they've made an effort to secure the network, I should leave the network alone.

Now, for all those AP's that register as F (factory default), well...those people were asking to have their MAC address added to their AP's banned list.......