Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting 802.11 Discovery Apps

Posted by Hemos on from the looking-at-the-backdoor dept.

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

6 of 165 comments (clear)

  1. Physically positioning the intruder by jki · · Score: 5, Interesting
    Your article was an interesting read. But what I would like to add is that it might be theoritically possible to physically position the intruder - especially, if you have made specific preparations for it (by placing a few extra access points as radars to do the triangle-mapping thing). You could use a tool like procycle to do it for example. Then just dispatch your favorite security guard Igor and Vasili and let them do the rest :) Here's a clip from the Procycle page:

    Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000

  2. Not necessarily possible? by Anonymous Coward · · Score: 4, Interesting

    Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...

    1. Re:Not necessarily possible? by Lumpy · · Score: 4, Interesting

      it's commonly called a can, and yes repeaters use them. 900mhz and 1.2Ghz cans can be bought for peanuts at hamfests, while I wonder if a 2.4ghz can is available let alone possible to tune with anything but a full service rf shop.

      the point is that with a recieve preamp and a diode I can reduce the exciter's output to the point that you would either need a 900db gain antenna or be in my back pocket to detect it.

      I used to work at a Radar detector plant that designed radar detectors that were guarenteed not detectable. 90% of the work is making the thing RF tight in the first place... most consumer grade equipment is so crappily made they leak like wet paper bags full of melting jello.

      anyone interested in attacking an access point in such a manner will do it undetected until they strike, no matter what measures the target takes..

      It's simple spy vs spy stuff... been hashed over for decades....

      --
      Do not look at laser with remaining good eye.
  3. What are the security guards going to do? by upper · · Score: 4, Interesting
    If the intruder is sitting behind the dumpster typing on his laptop, and it's the middle of the night, then your security guards have a number of courses of action that could be quite effective. But if he's in a busy starbucks, appearing to mind his own business, what can the security guard practically do?

    I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.

    I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.

  4. [preaching] share the bandwidth! by mocktor · · Score: 5, Interesting

    in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just stick to secure (ssh, https) protocols and share it?

    Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?

  5. Why? by Alex+Belits · · Score: 4, Interesting

    Why would anyone want to know if someone is trying to find his network? What horrendous insecurity may prompt one to waste his time on such a thing? Why not just make the goddamn network secure enough so whoever will run kismet/netstumbler/whatever will simply see that he can't use this network and leave it alone?

    --
    Contrary to the popular belief, there indeed is no God.