Some 802.11b background

WEP, from the ground up, is not suitable as the only means of security of a wireless network. Even functioning perfectly, once a client has joined the network with the correct WEP key, it becomes a shared media unencrypted network, with all the inherent vulnerabilities and internal weaknesses. Unfortunately, this is not the only problem with WEP. Due to a flaw in the RC4 encryption, most implementations of WEP periodically generate weak packets. Once enough of these weak packets are seen, it is possible to extract the WEP key. This attack is completely passive and undetectable (until, of course, a card joins the network with the key.)

Top security oversights when building 802.11b networks

1. Completely unencrypted networks. Despite the multitude of wireless articles written, half (or more!) of the wireless networks I've encountered don't use any form of encryption whatsoever. This leaves them completely open to sniffing (at the least) and abuse of network resources and malicious attack (at the worst).

2. Trusting WEP. With known encryption flaws, WEP is by no means the only method of security that should be used on a network. At the least, WEP only makes your network as secure as a shared media ethernet network - anyone with the key can still get all your data.

3. "Dumb" bridges. These are bridges which will indiscriminately forward all your data from the wired ethernet network to the wireless, making it easily available to any sniffers in the area. At LinuxWorld Expo in NYC this year, the tutorial conference email kiosks were set up this way, happily broadcasting everyones traffic while checking email into the air.

4. Wireless networks installed behind firewalls. A wireless network should always be classified as an untrusted network. I have encountered at least one consumer store chain with an access point installed behind the corporate firewalls in a retail store, with no WEP, giving full access to the entire nationwide corporate network.

5. Trusting MAC authentication exclusively. MAC's can be faked.

Top tips for securing wireless

1. Use an applicaton-layer encryption method (SSL, SSH) for all communication, or better still, a TCP/IP layer encryption like IPSec. Encrypt ALL traffic on the wireless network.

2. Use a secure authentication method. 802.1x is a step in this direction, Cisco WAPs support LANE authentication, www.nocat.net has an Open Source Linux-router authentication project. Require users to authenticate before their traffic is accepted or gatewayed to the wired LAN. (Note: Over the length of time it took me to write this article, 802.1x has been reported as vulnerable to attack.)

3. Use appropriate antennas. Sectors and yagis will help keep your signal going where you want it to go instead of leaking to other locations. Don't boost your signal needlessly or indiscriminately. For the extremely dedicated, shield external walls near access points.

802.11b sniffing theory

Wireless sniffing is slightly different. While the cards can still be placed into promiscuous mode, this doesn't (generally) have the intended result. Most wireless card drivers for Linux will either do nothing, or still only return packets destined for card, and in either case, still only affect an associated network. To sniff all of the traffic on a network (or more accurately, all of the traffic in the air around you regardless of network association) a card must support RF Monitoring. Currently, Prism/2 cards (Linksys, D-Link, Compaq, etc) with the linux-wlan-ng drivers (www.linux-wlan.com) and Cisco Aironet with the default kernel drivers (aironet and aironet_cs) support RF Monitoring mode. Once a card is in RF Monitoring mode, all packets in the air are reported to the OS.

Multichannel sniffing is built into Cisco Aironet cards - when in monitor mode, traffic on all channels is reported. Prism/2 cards will report some cross-channel traffic due to the slight overlap in channel frequencies, but primarily will only report the channel they are active on. Running a channel-hopper program is one way around this, however it will reduce your chances of catching intermittent traffic.

Network detection without RF Monitoring support

Kismet

Kismet will work with nearly any Linux supported wireless card. RF Monitoring is supported Prism/2 and Cisco Airnoet, and generic SSID detection works with any card supporting the Linux-wireless extensions. It will also work on Linux-powered handhelds that use the wlan-ng drivers such as the Sharp Zaurus, and in theory the Compaq Ipaq with any of the standard PCMCIA drivers. Full handheld support is still a work in progress, but it is functional and usable in its current state.

Most other wireless tools only work with a specific card or family of cards. Kismet is designed to take input from any Linux-supported wireless card, transform it into a common format, and process all sources in the same fashion. Data can be saved in several formats:

1. Network - Detailed network info including BSSID, SSID, first and last detected GPS coordinates, Tag133 beacon info, IP range, etc.

2. Dump - Raw packet dump, compatible with Ethereal and TcpDump.

3. Cisco - Cisco infrastructure information gathered from CDP (Cisco Discovery Packet) broadcasts.

4. GPS - GPS coordinates of every detected packet, strength levels (if available), and the track followed. "gpsmap", included with the development versions of Kismet, interprets these files and graphs them onto downloaded maps.

Auditing 802.11b networks with Kismet

Kismet is designed to assist with auditing as much as possible, sporting automatic disassembly of ARP, UDP, and DHCP packets for IP address detection, “cloaked” SSID detection, and Cisco Discovery Packet deciphering and logging. Kismet also sports graphical mapping of networks and estimated ranges from GPS data.

The simplest way to audit your network is to set Kismet up for your hardware, start it up, and walk (or drive) through your facility. Look for dead zones, leaks outside your property, and unexpected access points or clients. BE PARANOID. Think like someone trying to break into your network for fun or profit might think. Read on for more.

What to look for when auditing - and how to think about fixing it

1. Signal range -- Does your wireless signal go way beyond the physical bounds of your property? Inversely, does the signal cover your entire installation? Remember when testing range, not all wireless cards are equal and antenna types on the client side can make a big difference.

   Solutions: Consider directional antennas and repositioning access points. Remember, proper antennas can reduce your range and keep it within your property, as well as extend it in a poor-coverage area!

2. Unauthorized access points -- Worried about an employee bringing an AP in and hooking it to the office network? Look for unexpected access points. This may be one of the largest exposures to your network.

   Solutions: Have a clearly defined policy regarding unauthorized network modifications. Consider some form of central network authorization if none is in place already.

3. Information leaks and incorrectly configured APs -- Look at the dump logs and see if the information being exposed over the wireless is the information you expect to be exposed. Incorrectly set up hardware can disclose far more information about your network than you intend, incorrectly configured clients can broadcast unencrypted information or other information about your network infrastructure.

   Solutions: Fix your access point, and restrict what information is sent over insecure network segments.

4. Unauthorized users -- For the extremely paranoid, it is possible to spot unauthorized users attempting to join your network, but remember -- client cards are typically not very powerful, and you'll only see attempts in your immediate area. Never rely on this for overall security.

   Solutions: Implement authenticated filtering at the router so unauthorized users cannot use the network. Implement AP-based authentication so that unauthorized users cannot join the network in the first place.

What's in Store for Kismet in the Future

Links and points of interest

• http://www.kismetwireless.net - The Kismet home page

• http://www.nocat.net - NoCat authentication and router project

• http://www.bawug.org - Bay Area Wireless Users Group

• http://www.nycwireless.net - New York City Wireless Users Group

• http://linux-wlan.com - AbsoluteValue's wlan-ng prism/2 drivers

• http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Wireless.html - Creator of the Linux-wireless extentions

• http://www.turnpoint.net/wireless/has.html - Turnpoint.net's antenna shootout

• http://airsnort.shmoo.com/ - Airsnort WEP cracking project

• http://www.dachb0den.com/projects/bsd-airtools/wepexp.txt - h1kari's WEP attack

About the Author

Only registered users can write comments.
Please login or register.

Powered by AkoComment!