Slashdot Mirror
Detecting 802.11 Discovery Apps
Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications.
Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly
popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.
"
...in their detecting detectors?, or are the detectors detecting only getting detecteed once? anyway you put it that's a lot of detecting detectors and vise versa...
My girlfriend gets pissed anytime I even mention backdoor penetration...
Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?
I just tend to look for the box on the wall plugged into an ethernet cable with the two antennae sticking out of it.
God damn, I love a good arms race.
Are you a coder? Need work? Get involved at the beginning of an arms race such as this one. Employment for years and years. Get involved early enough, and soon you will be an "expert".
Of course, there are more employent opportunities on the defensive side of the race, while the more fun side is the offense.
OK, here's another arms race.
- With this anti-missile missile, we can intercept their missiles!
* But what do we do if they build an anti-anti-missile-missile missile?
- Simple, we build and anti-anti-anti-missile-missile-missile missile.
* Ow...I have a headache.
Please correct me if I got my facts wrong.
Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000
Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...
This whitepaper is published in PDF format, so it must be serious! Unlike those HTML white papers written by script kiddies....
so how do you actually secure the WiFi network.
Lets say I have DSL at my 5th floor apt. in downtown SF - i put a WiFi antennea up so I can roam to the cafe across the street - how do i keep any others off my network? cheaply?
Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.
can't detect that, right?
and when they're using info found with it it's too late, right?
better have it secure in the first place..
i got a system like this on my door, if it's busted, i've been robbed.
world was created 5 seconds before this post as it is.
What do you do now?
Go outside and kick ass on the guy with the laptop?
You could sneak up behind him and strangle him with all that extra cat-5 you have lying around now.
A new style of network discovery is available in the linux 2.5 kernel and in 2.4.20. Jean Tourrilhes'
Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.
There is a GTK+ application I have written called AP Radar that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.
The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.
I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.
I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.
I did some looking around on Google and found this paper, which briefly covers the subject by suggesting a "security mesh" to prevent unauthorized access to wlans. Anyone with some insight in how [cost] effective this may be, or if there are any other solutions out there?
Any WEP based network can be compromised by passively sniffing enough packets. After that initial work, the network is entirely open. At that point, the attacker cannot be detected by any means, yet he can sniff pretty much anything he wants.
That alone is a very good reason to NOT plug a wireless access point to an internal network. If you don't have some sort of firewall between your access point and your internal network, you might be underqualified for your job.
Given that, yes, you can detect freeloaders that are using your access point to surf the net. You cannot really block them, as MAC addys are easy to change. If that's really an issue, have the wireless network connected to nothing BUT your firewall, then force any wireless user to authenticate through the firewall you wisely installed. From there, it's a lot easier to monitor what happens to the firewall.
I guess the detection technique is mostly useful for statistical purposes, as previous posts have mentioned.
I am currently in an email conversation with LinkSys over the topic of securing a small WLAN that I set up to link my home network to my office (in a house across the street) and ran into a real problem with their WAP11 v2.2 AP's.
With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.
After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:
----------
Dear Mr. Joshua,
Thank you for contacting Linksys Customer Support.
With regard to the problem, can you provide the complete set up of your
network? About WEP, it is advised that you disable WEP keys in your access
point to avoid possible degradation of wireless transmission. The encryption
causes your network to slow down in terms of wireless transmission because
prior to transmission, the data are encrypted and decrypted at the receiving
end. Hence, the result is to slow the efficiency of your data transfer. For
a small network where there aren't much important files to be transferred,
it is advised that WEP keys are disabled.
About the firmware, the access point should have no problem connecting to
one another although they have different firmwares.
Have a nice day!
Sincerely,
Glythel Ria M. Penus
Product Support Representative
Linksys
-----------------------
If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.
So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.
Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?
This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.
The key point of this paper is that you cant detect passive monitoring(RFMON mode), so tools like kismet which usse it are not detectable. The only way to mess with these types of tools is to send out falsified data to confuse that scanner, but this will still not let you detect them.
-- free as in swatantryam - not soujanyam.
That's funny, I'm working on a similar whitepaper: Detecting 802.11 Detector Detectors, to detect people trying to detect people trying to detect 802.11 networks. Including is some sample code to detect the detector detectors, but it seems to get into a nasty infinite loop, and I can't figure out why.
________________________________________________
suwain_2
Looking at wireless over the last two years is just mind boggling. There's no way to stay up to date on the latest security hacks and updates and firmware and make sure your mac addresses are in a database and this and that. It hardly seems worth the effort. Hell it's easier just bringing a spindle of cat6 and wiring up 1000bt or better around with you than deal with the networking mess.
fslg503-985-8686503-985-8686503-985-8686503-985-8
in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just stick to secure (ssh, https) protocols and share it?
Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?
Isn't sniffing a key component of a wireless network? Why is this something that needs monitoring? What needs monitoring is authentication on the wireless network, not looking for the network.
Mirror Hotmail and Yahoo's login pages on a local server and collect passwords. Write 'creative' emails on their behalf to their friends and parents and (potential) employers.
Rewrite stock quotes on the fly...
Write a perl script that will rewrite outgoing POP emails
(s/Regards,/I love you,/g is an old favorite of mine...)
I figure if someone uses my network without asking for permission, I have the right to make them look like an idiot.
Cheers,
Jim
-- My Weblog.
Why would anyone want to know if someone is trying to find his network? What horrendous insecurity may prompt one to waste his time on such a thing? Why not just make the goddamn network secure enough so whoever will run kismet/netstumbler/whatever will simply see that he can't use this network and leave it alone?
Contrary to the popular belief, there indeed is no God.
The threat of unauthorized use of an AP is seriously over rated. Sure WEP can be cracked. But, Airsnort needs between 100 megs and 1 gig of honest data to crack 128-bit WEP. How long is it going to take you to gain that much data at 11 megabits per second? My ever so rough math says that to get a gig of data at 1.375 megabyes per sec (that is the equivilent of 11 megabits right? if not the point is still valid, even if the math is off) says you need about 12 minutes of just data. Try staying in range of an AP that long at 35 mph.
Remember, most of that traffic isn't data, it's beacon frames. Just the AP announcing itself to the world. 128-bit WEP isn't secure enough to do business over. It's not even secure enough to call it encryption. It will, however, keep the average war driver off your network. I usually figure that if they've made an effort to secure the network, I should leave the network alone.
Now, for all those AP's that register as F (factory default), well...those people were asking to have their MAC address added to their AP's banned list.......
There are some people that if they don't know, you can't tell 'em.
Setting asside that ESSID discovery software is inherently passive.
All this fuss and mud slinging over WiFi seems to be missing the point. It is build on an invalid premise. That 'this network' belongs to the AP owner. 802.11.b uses public airspace it does not belong to anybody it belongs to everybody just like the Internet backbone, it is designed to be open, and should remain so. If somebody wishes to use privatly for their secure traffic they should treat it as they would a PVC the net at large.
Accept it is open technology standard and secure their machines and traffic as necessary as they would on the Internet at large. The physical network its self cannot and should not be closed.
The author mentions RFMON type sniffers in his article. While you can't detect the sniffer itself, it is easy to spoof such sniffers with bogus data that an RFMON sniffer can't validate (but an active sniffer can). Such data can be used to encourage the attacker to go active and hack right into a honeypot.
retrorocket.o not found, launch anyway?
It's a duplexer. Although the main components of a duplexer (resonant cavities, as another poster mentioned) are essentially large thick-walled cans. (Except supercheap poor-man's-duplexers made from coffee cans - They exist but they are pretty high-loss)
These are usable in amateur applications because of the fact that repeaters transmit and receive on different frequencies. (Standard offset is 600 kHz in the 2 meter (144-148 MHz) band, 5 MHz in the 70 cm (440 MHz) band). 600 kHz is VERY close spacing at 144 MHz, which is why high-Q resonant cavities are needed, not L/C filters. They are needed because repeaters operate full-duplex (transmitting and receiving at the same time).
Such a thing doesn't exist for WLAN cards because of the fact WLAN devices transmit and receive on the same frequency (but not at the same time.) T/R switching is usually handled by diodes. (A diode, despite what a poster said, WILL block RF if biased properly. But to RF, it's bidirectional, either on both ways or off both ways, depending on the DC potential across the diode) Plus even in the "off" state, they'll leak a bit.
An isolator will allow RF to go in only one direction, while blocking RF going the other direction. These are expensive ($40-50 in quantities of 50+, probably more for one with coaxial connections).
Still, you can put all you want in the antenna feedline to make sure RF goes only one way - The receiver LO is going to leak out of the device housing. It'll be weak, but it'll be there. It'll be a CW signal, which will make it easier to detect despite being weak.
In RFMon mode, you don't need to take any measures to block RF going up the antenna feedline - The card will be stuck in receive mode with the transmitter shut down. Of course, the fact that your card is not transmitting means you can use a simple unidirectional preamp for receive rather than an expensive RF-sensing bidirectional amp. (These switch from receive to transmit when they sense RF coming from the transmitter).
retrorocket.o not found, launch anyway?
Perhaps some smart lad could come up with a way to filter out connection attempts being made from outside a physical perimeter?
Ahhh....imagine the urban legends;
The connection attempt...it's coming from inside the house!!
What were you expecting?