Detecting 802.11 Discovery Apps

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

Wrong approach

[bobthemuse]

Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?

Ok, so you've detected an intrusion...

[lorcha]

... now what? No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.

Don't route his packets

[upper]

Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.

how about totally passive eavesdropping?

[gl4ss]

can't detect that, right?

and when they're using info found with it it's too late, right?

better have it secure in the first place..
i got a system like this on my door, if it's busted, i've been robbed.

Re:securing

[spinlocked]

...only allow the MACs of your PDA...

Meanwhile I'll be a hypothetical man in a black hat at another table. I'll be watching you through two holes cut in a newspaper. When You've finished and switched off your PDA/notebook/whatever, I'll assume the MAC address which my PDA recorded you were using and start to upload illegal things through your DSL line. If you are using WEP, it'll take a hundred meg or so of your data to be transfered before I've got your key.

Don't rely on MAC address filtering or WEP, this stuff was poorly thought out to start with. Use IPSec or SSH tunnels if you can, or failing that firewall off your access point from the rest of your apartment network and treat it like any other public network - insecure.

Re:KIsmet saves the day

[mobilinux]

It is still possible to detect a client in RFMON
mode by using a very high gain antenna combined
with some DSP to identify a possible listening
of a 802.11 receiver since there is no FCC regulation for a receiving antenna gain:)

Anyone else have enough to worry about?

[indiigo]

Looking at wireless over the last two years is just mind boggling. There's no way to stay up to date on the latest security hacks and updates and firmware and make sure your mac addresses are in a database and this and that. It hardly seems worth the effort. Hell it's easier just bringing a spindle of cat6 and wiring up 1000bt or better around with you than deal with the networking mess.

Re:Not necessarily possible?

[mesocyclone]

Mu

Not hardly!

A diode preferrentially passes DC current in one direction. This is RF current.

Normally you will get some isolation from the receiver's RF amplifier (if it has any).

Beyond that, you can use a device called a circulator - a magical waveguide/magnet thingie that allows RF at the appropriate frequeny to only propagate one way through it.

These things are *not* cheap, BTW, but are commonly used in repeater systems.