Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting 802.11 Discovery Apps

Posted by Hemos on from the looking-at-the-backdoor dept.

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

21 of 165 comments (clear)

  1. Yeah... by Anonymous Coward · · Score: 4, Funny

    My girlfriend gets pissed anytime I even mention backdoor penetration...

    1. Re:Yeah... by kalos · · Score: 4, Funny

      That's because you are flat out penetrating her network through the back door. Do some probing first man. You have to find out if there are any ports or services receptive to your connection before you attempt to dive right in and exploit any weaknesses.

    2. Re:Yeah... by the+way,+what're+you · · Score: 4, Funny
      My girlfriend gets pissed anytime I even mention backdoor penetration...

      That's because she wants you to spend time with her, not your buddies.

      --
      example.org - powered by Linux!
    3. Re:Yeah... by geekd · · Score: 4, Funny

      Dave's relationship rule #27:

      "When you find a woman who reacts positivly to the suggestion of 'backdoor penetration', seriously consider marriage"

      rules to live by.

  2. Wrong approach by bobthemuse · · Score: 4, Insightful

    Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?

  3. Love it. by geekd · · Score: 4, Funny

    God damn, I love a good arms race.

    Are you a coder? Need work? Get involved at the beginning of an arms race such as this one. Employment for years and years. Get involved early enough, and soon you will be an "expert".

    Of course, there are more employent opportunities on the defensive side of the race, while the more fun side is the offense.

  4. Physically positioning the intruder by jki · · Score: 5, Interesting
    Your article was an interesting read. But what I would like to add is that it might be theoritically possible to physically position the intruder - especially, if you have made specific preparations for it (by placing a few extra access points as radars to do the triangle-mapping thing). You could use a tool like procycle to do it for example. Then just dispatch your favorite security guard Igor and Vasili and let them do the rest :) Here's a clip from the Procycle page:

    Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000

  5. Ok, so you've detected an intrusion... by lorcha · · Score: 5, Insightful
    ... now what? No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

    Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.

    --
    "Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
  6. Not necessarily possible? by Anonymous Coward · · Score: 4, Interesting

    Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...

    1. Re:Not necessarily possible? by Lumpy · · Score: 4, Interesting

      it's commonly called a can, and yes repeaters use them. 900mhz and 1.2Ghz cans can be bought for peanuts at hamfests, while I wonder if a 2.4ghz can is available let alone possible to tune with anything but a full service rf shop.

      the point is that with a recieve preamp and a diode I can reduce the exciter's output to the point that you would either need a 900db gain antenna or be in my back pocket to detect it.

      I used to work at a Radar detector plant that designed radar detectors that were guarenteed not detectable. 90% of the work is making the thing RF tight in the first place... most consumer grade equipment is so crappily made they leak like wet paper bags full of melting jello.

      anyone interested in attacking an access point in such a manner will do it undetected until they strike, no matter what measures the target takes..

      It's simple spy vs spy stuff... been hashed over for decades....

      --
      Do not look at laser with remaining good eye.
  7. Wierd... by Eric_Cartman_South_P · · Score: 4, Funny
    ...every time I mention it to her, I get no complaints.

    1. Re:Wierd... by _ph1ux_ · · Score: 5, Funny

      thats because you're not trying to come through the back door with an OC-192.

  8. Don't route his packets by upper · · Score: 4, Insightful

    Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.

  9. AP Radar by dgp · · Score: 5, Informative

    A new style of network discovery is available in the linux 2.5 kernel and in 2.4.20. Jean Tourrilhes'
    Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.

    There is a GTK+ application I have written called AP Radar that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.

    The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.

  10. What are the security guards going to do? by upper · · Score: 4, Interesting
    If the intruder is sitting behind the dumpster typing on his laptop, and it's the middle of the night, then your security guards have a number of courses of action that could be quite effective. But if he's in a busy starbucks, appearing to mind his own business, what can the security guard practically do?

    I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.

    I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.

  11. Security for WLAN's - Smack your closest vendor by jjackson · · Score: 5, Informative

    I am currently in an email conversation with LinkSys over the topic of securing a small WLAN that I set up to link my home network to my office (in a house across the street) and ran into a real problem with their WAP11 v2.2 AP's.

    With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.

    After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:

    ----------
    Dear Mr. Joshua,

    Thank you for contacting Linksys Customer Support.

    With regard to the problem, can you provide the complete set up of your
    network? About WEP, it is advised that you disable WEP keys in your access
    point to avoid possible degradation of wireless transmission. The encryption
    causes your network to slow down in terms of wireless transmission because
    prior to transmission, the data are encrypted and decrypted at the receiving
    end. Hence, the result is to slow the efficiency of your data transfer. For
    a small network where there aren't much important files to be transferred,
    it is advised that WEP keys are disabled.

    About the firmware, the access point should have no problem connecting to
    one another although they have different firmwares.

    Have a nice day!

    Sincerely,

    Glythel Ria M. Penus
    Product Support Representative
    Linksys
    -----------------------

    If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.

    So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.

    Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?

    This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.

  12. KIsmet saves the day by Phork · · Score: 4, Informative

    The key point of this paper is that you cant detect passive monitoring(RFMON mode), so tools like kismet which usse it are not detectable. The only way to mess with these types of tools is to send out falsified data to confuse that scanner, but this will still not let you detect them.

    --
    -- free as in swatantryam - not soujanyam.
  13. My Whitepaper by suwain_2 · · Score: 5, Funny

    That's funny, I'm working on a similar whitepaper: Detecting 802.11 Detector Detectors, to detect people trying to detect people trying to detect 802.11 networks. Including is some sample code to detect the detector detectors, but it seems to get into a nasty infinite loop, and I can't figure out why.

    --
    ________________________________________________
    suwain_2 :: quality slashdot p
  14. [preaching] share the bandwidth! by mocktor · · Score: 5, Interesting

    in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just stick to secure (ssh, https) protocols and share it?

    Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?

  15. Re:is there redundancy... by Llama+Keeper · · Score: 4, Funny

    Dude, you forgot the Trace Buster Buster Buster, cuz that shiat will bust his trace. The Big Hit, the best low budget no box office movie every made. Don't forget that China Chow is smoking hot! Glad to see another Big Hit fan out there!

    --


    Rule of Life Number 2: Remember, it can all go to hell at any minute. --Jimmy Buffet
  16. Why? by Alex+Belits · · Score: 4, Interesting

    Why would anyone want to know if someone is trying to find his network? What horrendous insecurity may prompt one to waste his time on such a thing? Why not just make the goddamn network secure enough so whoever will run kismet/netstumbler/whatever will simply see that he can't use this network and leave it alone?

    --
    Contrary to the popular belief, there indeed is no God.