Re: Wireless pentesting requirements

[Mister Coffee <live4java () stormcenter net>]

On Thu, Jun 10, 2004 at 11:24:03PM +0100, Andrew A. Vladimirov wrote:
> Mister Coffee wrote:
> > On Thu, Jun 10, 2004 at 10:14:09PM +0100, Andrew A. Vladimirov wrote:
> >
> > > Mister Coffee wrote:
> >
> > <<snip>>
> >
> > Good call that.  I considered initial location part of the pen-test, but 
> > that's just me.  Of course, having several antennas and cards in your kit 
> > can't hurt.  Say, an intermediate gain/beamwidth antenna for finding the 
> > AP's, then a high gain narrow beamwidth antenna for the actual penetration.
>
> True enough, we also move from low to high gain in process. And, for 
> example, using a high gain omni at the initial stage can lead to missing 
> AP's on the top floors of a reasonably tall building etc
Yeah.  We may want to take some of this off line, but I'm curious whether you've found anything that can reliably 
triangulate an AP's position as you're moving.  eg: I get relative directions from several GPS determined points around 
a site, then triangulate the location of the AP on my grid.  It can be done manually, of course, but accuracy depends 
on the reliability of your positions and the beamwidth of your LOP's.

> > <<snip>>
> >
> > > Most of the wireless stuff we do involves mangling custom 802.11 frames, 
> > > injecting traffic into the network without knowing WEP, accelerating WEP 
> > > cracking, phishing and guessing users credentials etc. - Wi-Foo 
> > > (www.wi-foo.com) describes it all pretty much. For all of this, open 
> > > specs for both firmware and drivers are vital.
> > Good reference site, definately.
>
> We hope that a forum there will become a good site for intelligent 
> wireless pentesting discussion. Btw, been to your site too, thanks for 
> PsiFur, already installed it even though those days I have no time for 
> IRC :(
I'll have to delve into the site more.  I've got a fairly deep interest in the radio aspects of the technology.  And 
glad you like the PsiFur.  Just a mite bit annoyed that they dropped perl as the scripting language.  Haven't had a 
chance to port it to C.

> > I should see about compiling a list of good antenna sites for those who 
> > are interested.  There's some sweet commercial gear, but it's expensive.  
> > You can build some very nice home brew antennas, of course, there's a lot 
> > of good information on antenna design (there's a number of places to get 
> > the calcs for building a Yagi, for example), but not much -inexpensive- 
> > test gear in that range, or information on coupling, that I've seen.
>
> That would be a good idea and should probably include a list of 
> equipment to test gain, VSWR etc for DIY antennas. I've seen so many 
> people bragging about their cantennas and always asked them how did they 
> estimate the actual gain and beamwidth...
I'm still looking for decent kit for working in the 2.4GHz that doesn't cost more than my car.  Working at the lower 
frequencies, you can get a lot of gear at reasonable (<$300) prices.  Unfortunately, once you gt over about 440MHz, the 
test equipment becomes expensive quickly.

It's certainly possible to get relative numbers by using the signal strength "meters" that come with most of the cards. 
 But the accuracy is suspect.  Details are probably better taken off-list.  Doubt most of the pen-test crew are -that- 
interested in finding ways to quantify home-brew antenna performance.
 
> > > > You'd be amazed at the range you can drag out of a 2M dish...
> > >
> > > You forgot a 2W bi-amplifier and 500mW Demarctech AP :) The only 
> > > possible side effect is KFS (Kentucky Fried Sysadmin)...
> >
> > Well, if I leave out the 2 watt amp, I'm less likely to have Uncle Charlie 
> > knocking on my door.  At least in the US.  Of course, being licensed in 
> > that band helps ;) . . .
>
> Who cares, you are missing so much fun... with such EIRP you can blast 
> Uncle Charlie away ! :) Have a look at what some nutty people do:
I don't know about that.  High gain and -any- amp will probably put you over their threshold for annoyance.  The Amp 
alone puts you over the power limits for a Part 15 device. :)

(Re-reading 15.109 and 15.209, they test for signal strength of n microvolts/meter at x range.  Here, above 960MHz, 
it's 500mV/M at 3M.  It jumps to 2500mV/M in the 10GHz+ range, per 15.249. - I may be missing something though 
regarding the use of high gain antennas.  I was under the impression that the FCC was concerned with actual signal 
level for type certification, rather than ERP.)
 
> http://www.svbxlabs.com/pages/projects/index.php?cat=ER
Oh, I see a lab explosion in the near future...
 
> 802.11i won't help...
> > > Cheers,
> > > Andrew
Cheers,
L4J