Hacking Wireless Networks For Dummies
.pdf
180 Part III: Advanced Wi-Fi Hacks
Network backbone
Access point |
Access point |
Figure 11-2: |
|
|
Extended |
|
|
Service |
|
|
Set (ESS) |
|
|
wireless |
|
|
network |
|
|
config- |
Roaming wireless client |
|
uration. |
||
|
||
Wireless client |
Wireless client |
Independent Basic Service Set (IBSS): This configuration is what we’ve been referring to as ad-hoc or peer-to-peer. This setup allows wireless clients to communicate to each other directly, without the need for a central AP to manage communications. An IBSS network is depicted in Figure 11-3.
It helps to know these wireless network configurations. Not only do they help focus your understanding of how each device communicates in a given network, they also give you a handle on the standard lingo that many wirelessnetwork tools use when they refer to these systems.
Now, let’s get down to business and start looking at common traits of unauthorized wireless devices.
Chapter 11: Unauthorized Wireless Devices 181
Wireless client |
Wireless client |
Figure 11-3:
Independent Basic Service Set (IBSS) wireless network config-
uration. |
|
Wireless client |
Wireless client |
|
Characteristics of Unauthorized Systems
As we outlined in Chapters 9 and 10, it’s pretty simple to perform a basic scan for wireless systems to see what’s present on your network. However, it can be easy to overlook characteristics that point to unauthorized systems, especially if you have a large amount of hosts to sort though.
As with warwalking and wardriving (covered in Chapters 9 and 10), it’s important to have the proper equipment to ferret out unauthorized systems. This includes a wireless NIC that supports all three 802.11 wireless standards —
a, b, and g — as well as a good antenna that’s sensitive enough to detect devices with weak signals.
182 Part III: Advanced Wi-Fi Hacks
During your quest for wireless devices that don’t belong on your network, there are several common characteristics and issues we’ve found that can lead to unauthorized devices. Here are several items to keep in mind as you’re performing your assessment:
Beacon packets where ESS field ≠ 1: In 802.11 beacon packets, the last bit of the Beacon Capability Info field dictates whether the system is an IBSS or not. A zero (0) indicates an IBSS system (that is, it indicates a non-ESS type network) and potentially unauthorized system on your network. In addition, the next-to-last bit in the Capability Info field indicates the type of network. A one (1) indicates an IBSS system. These fields are shown in Figure 11-4.
Figure 11-4:
Beacon packet information indicating an IBSS (ad-hoc) system.
Look for default SSIDs such as these:
•default (common in D-Link APs)
•tsunami (common in Cisco APs)
•comcomcom (common 3COM APs)
•wireless (common in Linksys APs)
•intel, linksys, and so on (need we say more?)
Chapter 11: Unauthorized Wireless Devices 183
Such SSIDs could indicate unauthorized systems on your network, especially if you’re using a specific SSID that makes these odd ones really stand out.
Also look for odd or strange-looking SSIDs, such as these:
•LarsWorld
•boardroom
•CartmansCubicle
•monkeybusiness
•HakAttak
•reception
Unauthorized vendor hardware, especially those that show up as Userdefined or Fake (as shown in Figure 11-5).
Figure 11-5:
NetStumbler capture, showing what appears to be unauthorized vendor hardware.
Be on the lookout for MAC addresses that don’t belong.
You may also encounter network and protocol issues such as these:
•Odd or unsupported protocols (such as those for non-WEP traffic)
•Systems with consistently weak radio signals (low signal-to-noise ratios)
•Excessive numbers of packets transmitted at slower speeds
•Excessive DHCP requests or broadcasts
•Wireless network transmissions occurring during off-hours
•Excessive transmission retries
•Communications on different wireless channels
•Excessive CRC errors
We cover network and protocol issues like these in Chapters 12 and 13.
184 Part III: Advanced Wi-Fi Hacks
Although these wireless device characteristics are not a guarantee that you’ve got unauthorized systems on your network, they can be a good indicator and proof that you need to probe further. Keep in mind that just because you find what appear to be unauthorized wireless systems on your network, you’ve still got to figure out if they’re actually in your building. If your organization has a standalone facility or campus, with no other buildings around, odds are the devices are on your network. However, if you share a building with other organizations, there’s always a chance that the wireless devices you find are someone else’s — and purely legitimate. This helps emphasize why you need to know your network — what’s allowed, who’s on it, etc.
Searching for unauthorized systems is often a matter of timing and luck. You may find nothing during some walkthroughs and several unauthorized systems during others. If at first you don’t find anything suspicious, keep checking: The unauthorized system could be temporarily powered off at the time of your search.
Before we get started on using wireless software to track down unauthorized systems on your network, we thought it’d be a good time to mention a neat hardware solution for doing the same thing. This device is the handheld (actually key-chain-sized) WIFI Signal Locator by Mobile Edge (www.mobile edge.com). It’s designed to determine whether a wireless hot-spot is in your vicinity, but you can also use it to sniff out unauthorized systems in your building as well.
Wireless Client Software
In Chapter 5, we demonstrated how you can use the basic wireless-network software built in to Windows XP to search for wireless systems. However, this method limits the amount of information you can ferret out when you’re performing an extensive scan. The next best thing to use is the wireless client management software — such as ORiNOCO’s Client Manager, Netgear Smart Wizard, and so on — that comes with your wireless NIC.
Figure 11-6 shows ORiNOCO’s Client Manager discovering an ad-hoc network that’s utilizing channel 6 for communication.
You may find a similar unauthorized system on your network. Unless your security policy allows users to have ad-hoc wireless devices (it doesn’t, right?), the first tipoff that trouble’s afoot would be the fact that you’ve got an ad-hoc network running. Also, you may have all your wireless systems set up to utilize another channel by default (such as channel 1) — so communications on channel 6 could indicate that this ad-hoc system is unauthorized.
Chapter 11: Unauthorized Wireless Devices 185
Figure 11-6:
ORiNOCO’s Client Manager, showing an unauthorized peer-to- peer (ad-hoc) network.
Figure 11-7 shows Client Manager discovering an AP with a weak signal. (The weak signal is indicated by the small yellow bar in the SNR column.)
Figure 11-7:
Site Manager, showing an AP with a weak signal.
A weak signal can also indicate that you’ve got an authorized system that’s far away or (cue the sinister music) that someone has turned the signal down on it and is trying to keep it hidden. You can walk around your office or
186 Part III: Advanced Wi-Fi Hacks
campus using a utility such as Site Manager to see whether signal strength improves. If it does, you’ve likely narrowed down its location, so it’s time to look into it further. If the signal doesn’t improve, the AP may belong to someone else — but you still may have an unauthorized system on your hands.
As you can see in Figure 11-8, some client-manager software shows more detail than others. Notice how Netgear’s Smart Wizard utility also shows signal strength, MAC address, and which 802.11 technology is being used — in this case, 802.11g.
Figure 11-8:
Netgear’s Smart Wizard utility, showing an unauthorized peer-to- peer (ad-hoc) network.
Later in this chapter, we show you how you can use the MAC address of
an ad-hoc system — along with a network analyzer — to track down specific IP addresses and protocols being used on the network.
Stumbling Software
The next step up, so to speak, in software you can use to detect unauthorized wireless devices is stumbling software such as NetStumbler and Kismet. Since we’ve already outlined how to use these programs in previous chapters, we’ll spare you a repetition of those details. What’s important to note here is the specific information you can find with a program such as NetStumbler.
Wireless network analyzers and monitoring tools such as AiroPeek and NetStumbler put your wireless NIC in promiscuous monitoring mode to capture all packets. This will effectively disable any other wireless communication (Internet, e-mail, network browsing, etc.) for that computer until you close out the program.
Chapter 11: Unauthorized Wireless Devices 187
For starters, you can use NetStumbler to find unauthorized ad-hoc devices on your network. If you come across quite a few ad-hoc systems like the devices labeled Peer in Figure 11-9, you could be in for some trouble.
Figure 11-9:
NetStumbler showing several unauthorized adhoc clients.
In the next section, we outline how you can use a network analyzer to determine whether the ad-hoc systems you find are attached directly to your network.
When using NetStumbler — or any wireless stumbling or analyzer software — the color of the indicator lights ranges from gray (no or minimal signal) all the way to green (strongest signal). This can tell you how close you are to the device in question.
In Figure 11-10, NetStumbler has found two potentially unauthorized APs. The ones that stand out are the two with SSIDs of BI and LarsWorld. Notice how they’re running on two different channels, two different speeds, and are made by two different hardware vendors. Also, the ad-hoc system with vendor type “User-defined” looks suspicious as well. If you know what’s supposed
to be running on your wireless network, these devices really stand out as unauthorized.
Figure 11-10:
NetStumbler showing unauthorized APs.
You may remember from previous chapters that NetStumbler performs active probing of wireless systems. This means that if any APs are configured to
188 Part III: Advanced Wi-Fi Hacks
disable beacon broadcasts — and thus disregard probe requests coming in from clients — then NetStumbler won’t see them. Well, it’ll see the AP along with its MAC address and associated radio information, but it won’t see the SSID. Figure 11-11 shows what this looks like. Notice you can see everything about the Cisco AP but the SSID.
Figure 11-11:
A Cisco AP with a hidden
SSID in NetStumbler.
If you really need to see SSIDs that are “disabled”, you can use the essid_ jack hacking tool (outlined in Chapter 8) to create a client-to-AP re-association scenario that forces the SSID to be broadcast. Perhaps an easier way is simply to use a passive monitoring tool such as Kismet or a network analyzer.
Network-Analysis Software
Network analyzers, or sniffers, are great tools for seeking out rogue wireless equipment. Most network analyzers allow you to identify unauthorized systems — and can track down other information such as their IP addresses, what type of data they’re transmitting, and more. Kevin’s a little biased toward the ease-of-use offered by commercial analyzers, but many freeware and open-source tools will work just as well. Whatever your usability preferences, you can use network-analysis information to determine whether the systems you’ve detected are actually connected to your network — or if they’re merely legitimate systems down the street or on the floor above.
Regardless of which network analyzer you use, you can still perform most of the basic functions we cover in this section.
Browsing the network
When seeking rogue wireless equipment with a network analyzer, we start out using AiroPeek NX to create what it calls a Peer Map. This map, shown in Figure 11-12, is essentially a physical layout of all wireless devices it can detect. When you know which wireless systems are out there talking, you’re already on the trail of the rogues.
Chapter 11: Unauthorized Wireless Devices 189
Figure 11-12:
AiroPeek
NX Peer Map, showing the physical layout of surrounding wireless devices.
AiroPeek NX also has a feature it calls Expert analysis, which you can use to look for wireless anomalies (for example, ad-hoc clients and APs that don’t belong). You simply load the program and select the Expert tab. Figure 11-13 shows the output of an Expert capture, along with its findings.
Notice that during this session, AiroPeek NX has found two rogue APs and 22 rogue ad-hoc clients! It can also find other helpful information such as APs that don’t require WEP and those that are broadcasting their SSIDs.
AiroPeek and AiroPeek NX come with a security audit template called Security Audit Template.ctf that you can load to search for specific wireless security problems. This template can be loaded by simply clicking File/New From Template.
When performing a regular packet capture (such as the one shown in Figure 11-14), AiroPeek NX also points out wireless anomalies in the Expert column at the right. Notice that it found both ad-hoc clients and APs that don’t belong. These functions can be helpful for pointing out the larger-scale security issues when you’re scrolling through the seemingly overwhelming slew of packets you typically capture during a session.