Build an Open Source Network Sniffer

An anonymous reader writes "This article reviews common issues of wireless security, and shows how to use open source software to suss out wireless networks, get information about them, and start recognizing common security problems. You will learn how build a lightweight wireless sniffer that runs on open source software and see how simple it is to interact with wireless networks."

What I really want

[nizo]

Rather than yet another wireless sniffing tool, what I really want is a linux firewall that sits between my wireless router and the rest of the world that tosses traffic from unauthenticated IP addresses (you could authenticate with, say, ssh or perhaps by hitting an SSL protected web form). Until the newly connected machine authenticates itself the firewall would squelch all outgoing traffic. It seems like this wouldn't be too hard to write, but before reinventing the wheel has anyone heard of such a thing? It would at least help keep random people from using our wireless network to surf the web (it is already outside of our firewall to help protect the rest of our network). I am all for allowing freebie wireless access to the masses, but I am not too keen on letting Joe Wardriver download kiddie porn from our work DSL either. This kind of tool seems like it would be useful to use in conjunction with a lowend wireless router.

Re:What I really want

[ZiZ]

What you really want is something like NoCatAuth (described nicely by this article. There are plenty of other similar solutions out there - look for 'linux wireless authentication gateway' or something similar on your favorite search engine.

Re:What I really want

[heavy+snowfall]

Try ipcop, it can split off your network into a wireless part and a wired part, and even add a third zone for public servers. The wireless part defaults to not giving access to either the internet or your other, wired computers, and you have to add mac addresses to a table for wireless clients to be able to connect. And it has nice graphs too, so you can see if someone's using your connection. Use this with WPA and vpn maybe. If you want more security, use wired lan instead.

Re:What I really want

[john_g_galt]

Sounds like you like something like this?

From the website above:

"NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs."

Re:What I really want

[nizo]

...add mac addresses to a table for wireless clients...

Sadly this isn't very secure, since mac addresses can be faked (my wireless router already has this feature built-in). However it looks like ipcop has other types of authentication too [Version 0.2 of IPCop will include an Amber Zone (Wireless DMZ) which will support CIPE, IPSec or VPNd encrypted connections among other things] so I will check it out :-)

Re:What I really want

[heavy+snowfall]

I know they can be faked, but it's still much better that if someone wants access to your network, they have to spend some time trying to figure out your mac and ip addresses than not, IMO.

It's more of a deterrent than an unbreakable security measure, but add enough deterrents and that wardriver might just use your neighbours unsecured network instead.

And if they manage to get access, they still have to crack an iptables firewall to get to your servers. Good enough for me.

Re:What I really want

[MeanJeans]

The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound. All traffic originating on the "Green" (inside or internal) interface is permitted. Nachia and Slammer will fly right through this config. Any worm or virus or trojan that tries to use TFTP to download more tools will also be successful.

Permitting only the traffic that needs to traverse a firewall IN ALL DIRECTIONS is a basic firewall/security concept.

Re:What I really want

[Peyna]

Considering the number of entirely open networks out there, I expect most people will just drive onto the next one unless they know you have something valuable on your network that they really want. For the average home user, WEP + MAC Address filtering is enough security to make the wardriver go to the next house. If you're a business with your name on the outside of the building though, you might have people that will be willing to try a little more to get access to your network.

(I did this when I first moved into my apartment, since I wasn't going to have cable hooked up for 3 weeks, I just took my laptop and walked around until I found a few open networks and used them for Internet access.)

Re:What I really want

[MeanJeans]

Let me clarify my last post. If a machine on your IPCop/Smoothwall protected network is compromised, then any outbound connections that these worms/virus/trojans/attackers make, will successfully traverse the firewall.

In the case of a worm like Slammer, it will be able to further propogate, Nachia will be able to flood your ISP connection, an attacker will be able to download a toolkit, etc...

Re:What I really want

[matuscak]

The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound.

But one of the neat things about IPcop is that it's one of them open source things. So while youre quite correct that the pretty GUI doesnt have an interface for egress filtering, you *can* hop into the shell and add in the iptables commands of your choice.

Re:What I really want

[Jjeff1]

What you've described is exactly what MIT uses on their network. They have a large number of both wireless and wired access places. I'd assume some googling on their site might get you a little information.
Attach a forgeign computer and it prompts you to login. Non MIT users are prompted for name and email and only allowed 15 days access per year.
Apparently they key everything via MAC address. I let a friend borrow my old wireless NIC, when he went to register it welcomed ME back. I hadn't used the NIC in a year.

Network "sniffer"?

[ZiZ]

While this tool that TFA references and builds is a pretty neat interface to viewing broadcast-SSID access points, I don't think it really qualifies as a 'sniffer', because it doesn't deal at all with sniffing packets, detecting non-broadcast-SSID access points, or anything along those lines.

It is, however, a pretty neat text-only interface to enumerate broadcasting APs, and honestly, the code for the interface makes for more interesting examination than the code for the 'sniffing'.

Commercial Sniffer Applications

Has anyone actually looked at the cost of commercial "Sniffer" devices? Network General (Formally Network Associates) sells a version that is outragiously priced. Granted, it does have additional functionality, but all you need is a Sniffer. I wonder how a company can sell such a half-assed product, and why people would still buy it. Ethereal is a really nice "free" program to use, and there are many other ways to get a NIC to display everything flowing through it.

Re:Commercial Sniffer Applications

[dustinbarbour]

I'm part of a federally-funded research team working on wireless security and internet forensics and we use AirMagnet to sniff packets.

Wow, what a great article.

[thegnu]

I have bookmarked it. This is the kind of crap I love. I just today acquired a Cassiopeia E100 for free, and I'm going to a)install Linux on it, and b)see if I can get wireless running on it. This is gonna be awesome.

My favorite software slogan ever is for ethereal, "Sniffing the glue that holds the internet together"

I'm sure a lot of you know this but this is in reference to TCP/IP being called "the glue that holds the internet together" Oh so funny. And oh so off-topic. I'm sorry. I love you guys.

Linksys WRT54G/GS

[adamjaskie]

Its sold as a "router", but what it really is is a little plastic box with a 200MHz MIPS embedded computer running Linux. You can replace the firmware with something like Sveasoft's modified version, that allows you to SSH into it, and run something like Snort on it. You can turn off the onboard wireless card if you don't need it, and disconnect the antennas for an even more compact device. Without the radio going, it probably won't even put out much heat.

Simple hardware solution

[pp]

Get a Linksys WRT54G (no need for GS even, you're just going to use it for sniffing), stick openwrt on it, put kismet_drone on it and off you go. Gives you your wlan traffic over good old Ethernet, and costs something like $65 nowadays.

Or you can buy a $30-50 card for your PC which might or might not be able to do monitor mode depending on your drivers, and might or might not reliably go into monitor mode depending on the exact sequence of iwconfig/ifconfig/catting stuff into files in /proc you are doing and finally might or might not show you all the packets since the firmware hides them from you.

Of course if you're running around with a laptop the Linksys option is a bit tricky since you need to feed power to it. For basic indoor problem-solving it's unbeatable. Unless someone comes up with a reliable source for prism2.5/3's.

Still need to find a good 802.11a solution though.

Re:Simple hardware solution

[adamjaskie]

The GS has twice the RAM and NVRAM of the regular WRT54G. This can be helpful as far as running packet sniffing apps on it is concerned.

Re:The problems with Open Source Sniffers

Nope, that's not a troll. Please go read the paper. Linux has too much overhead when handling interrupts.

I suppose you can stick your head in the sand, but unless you know how to deal with this, you're misleading people if you think you're actually capturing packets on a high-speed network.

This is actually an important problem for those of us who are trying to use Linux in this area; and this is the first paper I've seen which actually describes the problem, how to reproduce it, and some work-arounds for it (but no real fix).

Re:Why not

[Directrix1]

Exactly so here is my method to solve this problem:
* Buy wireless AP and a linux box with 2 NICs
* Hook one NIC to your network the other NIC to the wireless AP
* Download and install OpenVPN on your linux box
* Setup iptables to DROP all packets being forwarded from the outside NIC to the inside and vice versa:

# Assuming:
# * eth0 is the outside NIC
# * eth1 is the inside NIC
# * Default iptables policy is ALLOW
# * Your linux kernel supports iptables,
# and routing
iptables -A FORWARD -i eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
echo 1 >> /proc/sys/net/ipv4/ip_forward

* Install OpenVPN on all clients and point them to the outside NIC as the remote server

This way only VPNInside NIC packets will traverse your linux box, and everything will be encrypted with as big a key as you want. So you could just set up your AP without a WEP key and not worry (assuming you are using some key to encrypt the communications with OpenVPN, which you should). Have Fun!