Penetration Testing mailing list archives
RE: How to track down a wireless hacker
From: cwright () bdosyd com au
Date: 11 Nov 2007 23:38:45 -0000
Of course you can track a wireless attacker due the fact that he is broadcasting a trackable signal. First, it is not necessary to broadcast to monitor wireless traffic. The attacker can remain passive. Passive monitoring does make a discernable variation in the RSSI, but I do not see the resources being deployed for this reason (and we are talking well into the 6 figures for this). So lets address this in detail. To do so, lets look at the threats first, we have: - Friendly unprotected wireless networks deployed in ignorance. - Malicious This is either a malicious rouge attacker or a planted rouge network or AP. - Unintended Equipment deployed without authorisation and likely incorrectly configured (this group commonly includes Infrastructure rogues). The friendly and unintended threats are easy to find. They will either be an AP or wireless card in the local proximity. These are easy to trace. As such we can ignore these for the purpose of this post. There are a variety of means to discover rogues on the wireless network. These include: 1 Wired-side AP fingerprinting 2 Wired side MAC prefix analysis 3 Wireless-side warwalking 4 Wireless-side client monitoring 5 Wireless-side WLAN IDS If your intention is to test your own mal-functioning or mis-configured equipment on your network, then there is no crime. If you know it is not your device and you attack it in full knowledge, then a crime is the result. For example, you can run a Nessus AP Fingerprint Scan on your own (or what you believe is your own) equipment with impunity (assuming permissions and rights). In the case of an attacker external to the network, we can ignore options 1 and 2. If the attack was a rogue device (an AP for instance) on the wired-side network, scanning is legally ok. The scanning of your own equipment is an acceptable legal option. This still does not allow the right to actively attack the device on discovering it is a rogue. This is a matter of intention. As for Wireless-side analysis This is easy to do, but it is time consuming, error prone (there is a low risk of false-negatives and a good chance of false positives) and is likely to bypass or incorrectly correlate moving targets. Kismet will allow you to save filters based on the BSSIDs and MAC addresses discovered. Kismet would then be configured to ignore all authorised networks. This allows the creation of a baseline. The baseline allows for the alerting of exceptions that is unauthorised APs. AiroPeek NX is a commercial option for those companies that do not like to use open source software. Either method is time consuming and requires an audit for a point in time event. Warwalking can not be set to wait and report on exceptions. AirWave RAPIDS is a commercial option to conduct both wired-side and wireless-side monitoring and assessment. It monitors and reports on wireless activity and flags (and alerts) new networks as potential rogue APs. This is an expensive option with a license required for all clients. There are also issues. Either poor monitoring facilities will result or wireless networking will be impacted for the hosts. There are Wireless-side LAN IDS deployments. Aruba is an example. Again these are costly and require that a sensors is deployed at all facilities using wireless (and if you really want to be safe those that do not as well). None of this helps us find the rogue we only find out that one may exist. So how can we discover the rogue you ask finally? First there is a manual analysis process using the signal-to-noise ratios (SNR). SNR is maximised when the devices are associated. In this, the idea is to map the SNR and locate the antenna (note the antenna and not the rogue itself). These techniques rely heavily on guess-work. Kismet and a GPS will help. Directional analysis makes this a little easier. This requires a directional antenna and RSSI (Radio Signal Strength Information which is the signal and noise levels associated with a wireless device). Channel hoping should be disabled when doing this and it is essentially a matter of trial and error. Rapfinder (open source) is a tool that aids in this process. AirMagnet is a commercial tool (handheld) that is designed to locate the source of the radio signal (as you get closer the clicks increase in frequency like a Geiger counter). Next we get to triangulation. Even this is not 100% accurate due to RF interference, signal loss and radio signal distribution patterns (which vary based on the physical position). Aruba AirMonitor with 3 sensors will find local APs with a fair degree of accuracy. However, this takes us to the point. An attacker is not always going to be placed locally. The range with a good yaggi high gain antenna is a radius of over 10km. That is over 300 square km. So have fun searching, it is about 30,000 households, businesses etc ... It is not a flippantly easy task to track a wireless attacker. People get lucky, this is about how it works. Regards, Craig Wright (GSE-Compliance) ________________________________________ From: Jan Heisterkamp [mailto:] Sent: Mon 12/11/2007 1:55 AM To: ep Cc: Craig Wright; pen-test () securityfocus com Subject: Re: How to track down a wireless hacker I lost who started this thread. Of course you can track a wireless attacker due the fact that he is broadcasting a trackable signal and you can do it pretty accurate. But he question behind is "And then?" What will you do? 1. If the attacker is in house you might have to close all the doors, call the security stuff and confiscate all the laptops running wireless. The attacker goes arested and the rest of the user will take their case to the court, sueing you for damages. 2. If the attacker is, let us say in a car in the street and you have tracked and localized him what are you able to do? You can't touch him, neither arrest him, you have no legal right to do so; probably you will se the attackers golden finger he hits the road. The energy you are wilt to afford to track this freak down you had better spent before in securing your Network. It's a fact, that you messed it up and not he. I guess there is waiting some homework for you... Regards Jan ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: How to track down a wireless hacker, (continued)
- RE: How to track down a wireless hacker Ng, Kenneth (US) (Nov 07)
- Re: How to track down a wireless hacker cwright (Nov 07)
- Re: Re: How to track down a wireless hacker cwright (Nov 07)
- Re: How to track down a wireless hacker Francois Larouche (Nov 08)
- RE: How to track down a wireless hacker ep (Nov 08)
- RE: How to track down a wireless hacker cwright (Nov 10)
- RE: How to track down a wireless hacker ep (Nov 13)
- RE: How to track down a wireless hacker ep (Nov 10)
- Re: How to track down a wireless hacker Jan Heisterkamp (Nov 13)
- RE: How to track down a wireless hacker ep (Nov 13)
- RE: How to track down a wireless hacker cwright (Nov 13)
- Re: RE: How to track down a wireless hacker cwright (Nov 13)
- Re: How to track down a wireless hacker Jan Heisterkamp (Nov 13)
- RE: How to track down a wireless hacker ep (Nov 13)
- Re: RE: How to track down a wireless hacker cwright (Nov 15)