Detecting 802.11 Discovery Apps 165
Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications.
Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly
popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.
"
is there redundancy... (Score:3, Funny)
Re:is there redundancy... (Score:2, Funny)
How soon until we see dectectors built into the discovery apps, to detect the dectector detectors?
Re:is there redundancy... (Score:4, Funny)
Yeah... (Score:4, Funny)
Re:Yeah... (Score:4, Funny)
Re:Yeah... (Score:1)
Wierd... (Score:4, Funny)
Re:Wierd... (Score:5, Funny)
Re:Wierd... (Score:1, Funny)
Re:Yeah... (Score:4, Funny)
That's because she wants you to spend time with her, not your buddies.
Re:Yeah... (Score:4, Funny)
"When you find a woman who reacts positivly to the suggestion of 'backdoor penetration', seriously consider marriage"
rules to live by.
Re:Yeah... (Score:1)
Ahhh, I love /. It has to be the only place on the 'net where a technical discussion of wireless intrusion detection can be made analogous to anal sex.
Wrong approach (Score:4, Insightful)
Re:Wrong approach (Score:1)
Don't route his packets (Score:4, Insightful)
Re:Wrong approach (Score:3, Informative)
Re:Wrong approach (Score:3, Interesting)
If some geek passes by and wants to use some bandwidth, that's great. If it starts to happen a lot, I'll try to find them and work something out. With some luck, this happens 2-4 times, and we all agree to pitch in to get more bandwidth!
There's an easier way (Score:3, Funny)
Love it. (Score:4, Funny)
Are you a coder? Need work? Get involved at the beginning of an arms race such as this one. Employment for years and years. Get involved early enough, and soon you will be an "expert".
Of course, there are more employent opportunities on the defensive side of the race, while the more fun side is the offense.
War Is Good: +1, Even More Patriotic (Score:1, Funny)
See Naqoyqatsi [naqoy.com]
(Na-qoy-qatsi: (nah koy' kahtsee) N. From the Hopi Language.
1. A life of killing each other. 2. War as a way of life. 3.
(Interpreted) Civilized violence.
Arms Race (Score:3, Funny)
- With this anti-missile missile, we can intercept their missiles!
* But what do we do if they build an anti-anti-missile-missile missile?
- Simple, we build and anti-anti-anti-missile-missile-missile missile.
* Ow...I have a headache.
Re:Arms Race (Score:2)
Physically positioning the intruder (Score:5, Interesting)
Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000
What are the security guards going to do? (Score:4, Interesting)
I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.
I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.
Re:What are the security guards going to do? (Score:2)
Why the fuck would you want to set precedents like that? I want to live in a country with a just and fair legal system, I don't know about you. Doing shit like that makes things bad for everyone else.
If you're going to joke about stuff, joke about stuff involving thugs or James Bond style countermeasures. Joking about making the legal system even more unfair to everyone is just not funny.
Re:What are the security guards going to do? (Score:2)
Filter based on Physical Location (Score:2)
Ahhh....imagine the urban legends;
The connection attempt...it's coming from inside the house!!
Ok, so you've detected an intrusion... (Score:5, Insightful)
Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.
Re:Ok, so you've detected an intrusion... (Score:2)
The next problem is re-enabling a MAC Address when an authorized person either runs a sniffer for fun or generates a false-positive.
--
Re:Ok, so you've detected an intrusion... (Score:1)
even if the intruder is somehow unaware he can change his MAC address, he can still sniff your network traffic until the HD gets full.
of course, if all the intruder was doing is passive sniffing, you wouldn't be able to detect it to start with.
Re:Ok, so you've detected an intrusion... (Score:1)
Re:Ok, so you've detected an intrusion... (Score:2, Informative)
There was a paper on how to track people scanning your WLAN by triangulating their location from several access points (here [interlinknetworks.com]), but that seems like an awful lot more effort than just securing the network in the first place.
It might be useful for statistical interest (go to the boss asking for money because X number of people have been trying to hack the WLAN). Package it up and install it on a machine somewhere.
Note that this won't pick up Kismet (not that anything will, short of scanning for moving RF emissions from a computer). But that's another point entirely.
Re:Ok, so you've detected an intrusion... (Score:2, Interesting)
Re:Ok, so you've detected an intrusion... (Score:1)
useful link: kismet [kismetwireless.net]
Re:Ok, so you've detected an intrusion... (Score:1)
rfmon still wins, though.
Re:Ok, so you've detected an intrusion... (Score:2)
Re:Ok, so you've detected an intrusion... (Score:1)
Re:Ok, so you've detected an intrusion... (Score:2)
Most commonly used is a 93LC46 which is a 1K bit (128 bytes) CMOS serial EPROM.
Have some fun, that's what (Score:3, Funny)
Rewrite stock quotes on the fly...
Write a perl script that will rewrite outgoing POP emails
(s/Regards,/I love you,/g is an old favorite of mine...)
I figure if someone uses my network without asking for permission, I have the right to make them look like an idiot.
Cheers,
Jim
Re:Have some fun, that's what (Score:2)
Wireless security in one word. (Score:3, Interesting)
The threat of unauthorized use of an AP is seriously over rated. Sure WEP can be cracked. But, Airsnort needs between 100 megs and 1 gig of honest data to crack 128-bit WEP. How long is it going to take you to gain that much data at 11 megabits per second? My ever so rough math says that to get a gig of data at 1.375 megabyes per sec (that is the equivilent of 11 megabits right? if not the point is still valid, even if the math is off) says you need about 12 minutes of just data. Try staying in range of an AP that long at 35 mph.
Remember, most of that traffic isn't data, it's beacon frames. Just the AP announcing itself to the world. 128-bit WEP isn't secure enough to do business over. It's not even secure enough to call it encryption. It will, however, keep the average war driver off your network. I usually figure that if they've made an effort to secure the network, I should leave the network alone.
Now, for all those AP's that register as F (factory default), well...those people were asking to have their MAC address added to their AP's banned list.......
Not necessarily possible? (Score:4, Interesting)
Re:Not necessarily possible? (Score:1)
up to a highly sensitive RF receiver trying to
identify local oscilltor emissions out of the
listening client card. In simple terms, what
about a detector similar to "radar detector detector"? Also any RF_MON mode client card
is going to be actively scanning the different
channels(leading to differing oscilltor frequencies). If you know your legitimate clients are not operating in that channel, and if you have a really focused antenna, you could even catch the intruder by moving the antenna for max signal strength of the oscillator emission.
Re:Not necessarily possible? (Score:1)
a rogue receiver, you could then stop the transmission in the particular transmission or
just transmit false data. It would be even better
if you could start switching the WEP keys in sync
with the legitimate clients (or) encrypt the traffic on the fly. If not you can also think
of sending a shutdown signal to legitimate clients
and then zap a high energy RF pulse to the direction of maximum signal strength to burn out
the frontend of the rogue client, it would then
become easy to spot the intruder visually with
the smoking card!. Then continue regular transmission once the offending oscillator signal
is absent.
Re:Not necessarily possible? (Score:1)
easier if you could use additional high
gain receivers(or switch a single receiver
between multiple antennas) to locate the
intruder by triangulation and immediately
activate a focussed beam of high energy RF
(high gain electronically controlled phased
array Antenna?) to cripple the receiver
without impairing ongoing sessions with
other authorized clients.
Re:Not necessarily possible? (Score:1)
ever knew about how a receiver works(direct
conversion,superhet etc) you will understand
what I mean. You do need dedicated h/w for
doing it. Also you should remember there is
no limit on the receiver antenna gain by FCC.
With the current advances in DSP, RF device
technologies, electronically controlled phased array antennas and liquid nitrogen cooled rf lna's, nothing is impossible. I could build you
one, if you could pay me $$$$$ even out of off
the shelf components!.
Re:Not necessarily possible? (Score:1)
if I sniff long enough, I can crack your encryption and cause utter hell the very first time I transmit.
how about instead of trying to play spy, the WIFI owners make it secure? Nahhh, makes too much sense.
Re:Not necessarily possible? (Score:1)
how about instead of trying to play spy, the WIFI owners make it secure? Nahhh, makes too much sense.
You answered your own question. Hard to make it secure if they can crack your encryption, say with AirSnort. The protocol needs better encryption on it, simple as that.
Re:Not necessarily possible? (Score:3, Insightful)
Not hardly!
A diode preferrentially passes DC current in one direction. This is RF current.
Normally you will get some isolation from the receiver's RF amplifier (if it has any).
Beyond that, you can use a device called a circulator - a magical waveguide/magnet thingie that allows RF at the appropriate frequeny to only propagate one way through it.
These things are *not* cheap, BTW, but are commonly used in repeater systems.
Re:Not necessarily possible? (Score:4, Interesting)
the point is that with a recieve preamp and a diode I can reduce the exciter's output to the point that you would either need a 900db gain antenna or be in my back pocket to detect it.
I used to work at a Radar detector plant that designed radar detectors that were guarenteed not detectable. 90% of the work is making the thing RF tight in the first place... most consumer grade equipment is so crappily made they leak like wet paper bags full of melting jello.
anyone interested in attacking an access point in such a manner will do it undetected until they strike, no matter what measures the target takes..
It's simple spy vs spy stuff... been hashed over for decades....
Re:Not necessarily possible? (Score:3, Informative)
1) keep energy received by the antenna from getting into the final amplifier and generating spurious products (which is why they are *required* at most shared sites)
2) Protecting the transmitter from antenna failure, since the third terminal on the circulator is typically hooked to a dummy load.
Can's are used to create narrow band filters. On a typical FM repeater, they are used to duplex the transmitter and receiver to the same antenna (and hence they form a "duplexor"). Additional cans may be used to further reduce spurious emissions, and to protect the receiver from known strong out-of-band signals.
I assume by exciter you really mean local oscillator. And as I mentioned, the receive amp will in fact reduce the exciter output. The diode... well, why the heck would you put a diode in the circuit? It doesn't make any sense.
LO leakage is a well known problem with any superheterodyne receiver design. There are a number of methods to solve it (including appropriate mixers, pre-amps, trapping out the RF frequency, etc). I have *never* heard of anyone suggest using a diode for that purpose. It just does not compute.
The real problem with the approach of detecting the LO is that in any but the worst designed receiver, it will be way down in output power compared to the transmitter. Sniffing for LO's is thus inherently disadvantaged compared to sniffing for transmitters.
It's not a "can" (Score:3, Informative)
These are usable in amateur applications because of the fact that repeaters transmit and receive on different frequencies. (Standard offset is 600 kHz in the 2 meter (144-148 MHz) band, 5 MHz in the 70 cm (440 MHz) band). 600 kHz is VERY close spacing at 144 MHz, which is why high-Q resonant cavities are needed, not L/C filters. They are needed because repeaters operate full-duplex (transmitting and receiving at the same time).
Such a thing doesn't exist for WLAN cards because of the fact WLAN devices transmit and receive on the same frequency (but not at the same time.) T/R switching is usually handled by diodes. (A diode, despite what a poster said, WILL block RF if biased properly. But to RF, it's bidirectional, either on both ways or off both ways, depending on the DC potential across the diode) Plus even in the "off" state, they'll leak a bit.
An isolator will allow RF to go in only one direction, while blocking RF going the other direction. These are expensive ($40-50 in quantities of 50+, probably more for one with coaxial connections).
Still, you can put all you want in the antenna feedline to make sure RF goes only one way - The receiver LO is going to leak out of the device housing. It'll be weak, but it'll be there. It'll be a CW signal, which will make it easier to detect despite being weak.
In RFMon mode, you don't need to take any measures to block RF going up the antenna feedline - The card will be stuck in receive mode with the transmitter shut down. Of course, the fact that your card is not transmitting means you can use a simple unidirectional preamp for receive rather than an expensive RF-sensing bidirectional amp. (These switch from receive to transmit when they sense RF coming from the transmitter).
RTFA (Score:2)
Detecting 802.11 Discovery Apps (Score:1)
oh oh... (Score:2, Funny)
HTML mirror (for us script kiddies) (Score:1)
Yes, it's on Tripod, so beware the popups and banners. Whaddya expect from us skr1pt k1dd13z?
securing (Score:2)
Lets say I have DSL at my 5th floor apt. in downtown SF - i put a WiFi antennea up so I can roam to the cafe across the street - how do i keep any others off my network? cheaply?
Re:securing (Score:2)
sorry for the one liner, but pulling this off is very OS dependent, thus out of the scope of this posting.
Re:securing (Score:2, Informative)
Re:securing (Score:3, Insightful)
Meanwhile I'll be a hypothetical man in a black hat at another table. I'll be watching you through two holes cut in a newspaper. When You've finished and switched off your PDA/notebook/whatever, I'll assume the MAC address which my PDA recorded you were using and start to upload illegal things through your DSL line. If you are using WEP, it'll take a hundred meg or so of your data to be transfered before I've got your key.
Don't rely on MAC address filtering or WEP, this stuff was poorly thought out to start with. Use IPSec or SSH tunnels if you can, or failing that firewall off your access point from the rest of your apartment network and treat it like any other public network - insecure.
Re:securing (Score:2)
Re:securing (Score:1)
Re:securing (Score:1)
provisions of security(such as 128Bit WEP with
shared authentication only) and use IPSEC to
encrypt the entire traffic. If not you could
just create an ssh tunnel. Time to get a linux
tablet PC?
Re:securing (Score:1)
Re:securing (Score:2)
My WiFi is outside my firewall, and I don't limit access at all. I'm in San Bruno, not SF, so there are not as many interested parties (none, most of the time). Depending on how friendly you want to be to your neighbors/visiting friends/passers by, you might route the WiFi traffic through your server but limit the bandwidth. This is getting to be real work, though...
Yeah, but... (Score:1)
Re:Yeah, but... (Score:1)
how about totally passive eavesdropping? (Score:2, Insightful)
and when they're using info found with it it's too late, right?
better have it secure in the first place..
i got a system like this on my door, if it's busted, i've been robbed.
Ok, so you have detected an intrusion.... (Score:3, Funny)
Go outside and kick ass on the guy with the laptop?
You could sneak up behind him and strangle him with all that extra cat-5 you have lying around now.
EMP (Score:1, Funny)
AP Radar (Score:5, Informative)
Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.
There is a GTK+ application I have written called AP Radar [sourceforge.net] that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.
The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.
Re:AP Radar (Score:2)
Detecting apps, use ps command (Score:1)
ps -ef | grep -i nets...
to determine if you are running one of these applications
Detection is a reality now, but defense? (Score:3, Interesting)
hopeless (Score:3, Interesting)
That alone is a very good reason to NOT plug a wireless access point to an internal network. If you don't have some sort of firewall between your access point and your internal network, you might be underqualified for your job.
Given that, yes, you can detect freeloaders that are using your access point to surf the net. You cannot really block them, as MAC addys are easy to change. If that's really an issue, have the wireless network connected to nothing BUT your firewall, then force any wireless user to authenticate through the firewall you wisely installed. From there, it's a lot easier to monitor what happens to the firewall.
I guess the detection technique is mostly useful for statistical purposes, as previous posts have mentioned.
Security for WLAN's - Smack your closest vendor (Score:5, Informative)
With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.
After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:
----------
Dear Mr. Joshua,
Thank you for contacting Linksys Customer Support.
With regard to the problem, can you provide the complete set up of your
network? About WEP, it is advised that you disable WEP keys in your access
point to avoid possible degradation of wireless transmission. The encryption
causes your network to slow down in terms of wireless transmission because
prior to transmission, the data are encrypted and decrypted at the receiving
end. Hence, the result is to slow the efficiency of your data transfer. For
a small network where there aren't much important files to be transferred,
it is advised that WEP keys are disabled.
About the firmware, the access point should have no problem connecting to
one another although they have different firmwares.
Have a nice day!
Sincerely,
Glythel Ria M. Penus
Product Support Representative
Linksys
-----------------------
If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.
So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.
Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?
This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.
Re:Security for WLAN's - Smack your closest vendor (Score:2)
I have a linksys ap+router (befw11s4 I think) and it works fine in wide-open mode, but not so well either in WEP or MAC-restricted mode -- often needing resets to let my two clients associate with it.
So it was cheap. I should have figured it was a piece of shit. (NB: it DOES work flawlessly in idiot mode tho, with the one restriction on requiring FTP downloads to be in PASV mode).
Question: is the netgear box any better? Any other recomendations?
KIsmet saves the day (Score:4, Informative)
Re:KIsmet saves the day (Score:2, Insightful)
mode by using a very high gain antenna combined
with some DSP to identify a possible listening
of a 802.11 receiver since there is no FCC regulation for a receiving antenna gain:)
Re:KIsmet saves the day (Score:2)
Re:KIsmet saves the day (Score:2)
Re:KIsmet saves the day (Score:3, Informative)
Re:KIsmet saves the day (Score:1)
materials, for an would be secure community
network. If you are interested let me know.
Re:KIsmet saves the day (Score:2)
Re:KIsmet saves the day (Score:1)
I found that it would be much cheaper to build
a special purpose antenna to overcome the requirements of a power amplifier apart from
increasing the penetration into homes with lot
of brick masonry.
Re:KIsmet saves the day (Score:1)
you could always use a switched parabolic antenna,
or even a rotating one. We are talking about ability to identify a potential listener and not
talking about some rf glitch caused by a solar flare!.
Re:KIsmet saves the day (Score:3, Informative)
Re:KIsmet saves the day (Score:1)
detecting ISM band emissions but will be a bit
tricky due to the DSS modulation scheme which
tend to scatter the available energy over the
entire band. I do not think that there is any
receiver that employs pure passive tuning(which
is a theoretical possibility and limited by the
availability of high Q resonators and narrow band
tunable very low noise amplifiers).
Re:KIsmet saves the day (Score:2)
Re:KIsmet saves the day (Score:1)
My Whitepaper (Score:5, Funny)
Anyone else have enough to worry about? (Score:3, Insightful)
[preaching] share the bandwidth! (Score:5, Interesting)
Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?
Re:[preaching] share the bandwidth! (Score:3, Funny)
That would be pretty cool, even without ICQ.
Can't get in my wireless home lan... (Score:1)
...cos I gave my laptop to a super-fine chick at work....*sniff* #;^(
Isn't this nornal? (Score:2)
I just use my.... (Score:1)
Why? (Score:4, Interesting)
Invalid premise (Score:2, Flamebait)
Setting asside that ESSID discovery software is inherently passive.
All this fuss and mud slinging over WiFi seems to be missing the point. It is build on an invalid premise. That 'this network' belongs to the AP owner. 802.11.b uses public airspace it does not belong to anybody it belongs to everybody just like the Internet backbone, it is designed to be open, and should remain so. If somebody wishes to use privatly for their secure traffic they should treat it as they would a PVC the net at large.
Accept it is open technology standard and secure their machines and traffic as necessary as they would on the Internet at large. The physical network its self cannot and should not be closed.
Re:Hackers and Slackers (Score:1)