Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting 802.11 Discovery Apps

Posted by Hemos on from the looking-at-the-backdoor dept.

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

7 of 165 comments (clear)

  1. Physically positioning the intruder by jki · · Score: 5, Interesting
    Your article was an interesting read. But what I would like to add is that it might be theoritically possible to physically position the intruder - especially, if you have made specific preparations for it (by placing a few extra access points as radars to do the triangle-mapping thing). You could use a tool like procycle to do it for example. Then just dispatch your favorite security guard Igor and Vasili and let them do the rest :) Here's a clip from the Procycle page:

    Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000

  2. Ok, so you've detected an intrusion... by lorcha · · Score: 5, Insightful
    ... now what? No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

    Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.

    --
    "Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
  3. AP Radar by dgp · · Score: 5, Informative

    A new style of network discovery is available in the linux 2.5 kernel and in 2.4.20. Jean Tourrilhes'
    Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.

    There is a GTK+ application I have written called AP Radar that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.

    The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.

  4. Re:Wierd... by _ph1ux_ · · Score: 5, Funny

    thats because you're not trying to come through the back door with an OC-192.

  5. Security for WLAN's - Smack your closest vendor by jjackson · · Score: 5, Informative

    I am currently in an email conversation with LinkSys over the topic of securing a small WLAN that I set up to link my home network to my office (in a house across the street) and ran into a real problem with their WAP11 v2.2 AP's.

    With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.

    After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:

    ----------
    Dear Mr. Joshua,

    Thank you for contacting Linksys Customer Support.

    With regard to the problem, can you provide the complete set up of your
    network? About WEP, it is advised that you disable WEP keys in your access
    point to avoid possible degradation of wireless transmission. The encryption
    causes your network to slow down in terms of wireless transmission because
    prior to transmission, the data are encrypted and decrypted at the receiving
    end. Hence, the result is to slow the efficiency of your data transfer. For
    a small network where there aren't much important files to be transferred,
    it is advised that WEP keys are disabled.

    About the firmware, the access point should have no problem connecting to
    one another although they have different firmwares.

    Have a nice day!

    Sincerely,

    Glythel Ria M. Penus
    Product Support Representative
    Linksys
    -----------------------

    If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.

    So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.

    Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?

    This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.

  6. My Whitepaper by suwain_2 · · Score: 5, Funny

    That's funny, I'm working on a similar whitepaper: Detecting 802.11 Detector Detectors, to detect people trying to detect people trying to detect 802.11 networks. Including is some sample code to detect the detector detectors, but it seems to get into a nasty infinite loop, and I can't figure out why.

    --
    ________________________________________________
    suwain_2 :: quality slashdot p
  7. [preaching] share the bandwidth! by mocktor · · Score: 5, Interesting

    in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just stick to secure (ssh, https) protocols and share it?

    Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?