Hacking Wireless Networks (2015)
Part III
Advanced Wi-Fi
Hacks
Chapter 11
Unauthorized Wireless Devices
In This Chapter
ᮣ Understanding the consequences of unauthorized devices on your network
ᮣ Exploring basic wireless-network layouts
ᮣ Finding the common characteristics of unauthorized wireless devices
ᮣ Using various tools to search for unauthorized wireless devices
ᮣ Protecting against unauthorized wireless devices
Aserious problem affecting wireless network security is the presence of unauthorized and rogue wireless devices. In Chapter 5, we discuss how employees and other users on your network sometimes introduce wireless equipment into your environment. These people unknowingly put your information at risk because they usually don’t understand what can happen when they set up unauthorized access points and ad-hoc wireless clients. Even when users dounderstand the consequences, often they set up their own wireless networks anyway.
As a rule, people set up their own wireless systems because they want convenience — something that must be (but rarely is) balanced with security.
Most unauthorized wireless systems are not installed for malicious purposes.
However, you must always be aware that people inside and outside your organization can introduce wireless devices for purely malicious reasons. Such unauthorized systems — commonly referred to as rogue systems — are often set up to gain access to your wireless data or cause other harm. The rogue wireless system of choice is an access point — both real APs and fake ones.
These APs “lure” unsuspecting wireless-client systems to associate with them — and then pass all that wireless traffic through so everything can be captured and controlled elsewhere (usually for ill-gotten gain). We look at rogue devices in detail in Chapter 13.
In this chapter, we outline common characteristics of unauthorized wireless devices, various tests you can run to check for them, and what you can do to detect and prevent these systems in the future.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 178
178 Part III: Advanced Wi-Fi Hacks
What Can Happen
There are serious vulnerabilities introduced if a person sets up unauthorized wireless systems on your network. There are four main types of potentially lethal unauthorized wireless devices threatening your airwaves: ߜ Unauthorized APs: Unauthorized APs are usually APs bought at a local consumer electronics store and installed onto your network without your knowledge. (See the scenario we outlined in Chapter 5.) This is the most common type of unauthorized system; when not properly secured, it can create a huge entry point into your network for anyone within range.
A hacker can also use a Linux-based program called AirSnarf (http://
airsnarf.shmoo.com) to create a legitimate-looking AP to which unsuspecting users can connect. The hacker can then attempt to grab usernames, passwords, and other sensitive information from the users, and they’ll never know it happened.
Many users are unaware of minimum wireless network security requirements in their organization, or they simply don’t know how to properly configure such settings, which, in turn, create severe security problems.
ߜ Wireless clients: These are usually laptops with wireless NICs that are set up to run in ad-hoc (peer-to-peer) mode. These systems don’t require an AP to communicate with one another, and are often connected to the wired network — which (again) creates an easy backdoor into your system. These unauthorized systems can render other forms of security you have in place (such as firewalls, authentication systems, and so on) completely useless, exposing critical servers, databases, and other resources.
ߜ Rogue APs: Rogue APs often are set up to mimic the characteristics of your legitimate APs in order to lure in unsuspecting users and wireless-client systems. Once these connections are made, the rogue AP can be configured to capture traffic and create denial-of-service (DoS) conditions. Chapter 14 covers DoS attacks and testing in more detail.
ߜ Rogue wireless clients: These are unauthorized user systems (often external to your organization) that connect to your APs or ad-hoc systems and are usually up to no good.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 179
Chapter 11: Unauthorized Wireless Devices
179
Wireless System Configurations
Before we proceed, it makes sense to visually represent the various types of wireless network configurations we’ll be searching for during our tests. The following list describes them in detail:
ߜ Basic Service Set (BSS): This is the most common wireless network configuration. This setup, shown in Figure 11-1, consists of one AP and several wireless clients. In a BSS configuration, the AP serves as the network hub; all communications between clients go through it.
ߜ Extended Service Set (ESS): This configuration (shown in Figure 11-2) includes multiple APs connected to the network, with roaming capabilities for mobile clients.
Network backbone
Wireless client
Access point
Figure 11-1:
Basic
Service
Set (BSS)
wireless
network
config-
uration.
Wireless client
Wireless client
18_597302_ch11.qxd 8/4/05 6:58 PM Page 180
180 Part III: Advanced Wi-Fi Hacks
Network backbone
Access point
Access point
Figure 11-2:
Extended
Service
Set (ESS)
wireless
network
config-
Roaming wireless client
uration.
Wireless client
Wireless client
ߜ Independent Basic Service Set (IBSS): This configuration is what we’ve been referring to as ad-hoc or peer-to-peer. This setup allows wireless clients to communicate to each other directly, without the need for a central AP to manage communications. An IBSS network is depicted in Figure 11-3.
It helps to know these wireless network configurations. Not only do they help focus your understanding of how each device communicates in a given network, they also give you a handle on the standard lingo that many wireless-network tools use when they refer to these systems.
Now, let’s get down to business and start looking at common traits of unauthorized wireless devices.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 181
Chapter 11: Unauthorized Wireless Devices
181
Wireless client
Wireless client
Figure 11-3:
Indepen-
dent Basic
Service Set
(IBSS)
wireless
network
config-
uration.
Wireless client
Wireless client
Characteristics of Unauthorized Systems
As we outlined in Chapters 9 and 10, it’s pretty simple to perform a basic scan for wireless systems to see what’s present on your network. However, it can be easy to overlook characteristics that point to unauthorized systems, especially if you have a large amount of hosts to sort though.
As with warwalking and wardriving (covered in Chapters 9 and 10), it’s important to have the proper equipment to ferret out unauthorized systems. This includes a wireless NIC that supports all three 802.11 wireless standards —
a, b, and g — as well as a good antenna that’s sensitive enough to detect devices with weak signals.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 182
182 Part III: Advanced Wi-Fi Hacks
During your quest for wireless devices that don’t belong on your network, there are several common characteristics and issues we’ve found that can lead to unauthorized devices. Here are several items to keep in mind as you’re performing your assessment:
ߜ Beacon packets where ESS field ≠ 1: In 802.11 beacon packets, the last bit of the Beacon Capability Info field dictates whether the system is an IBSS or not. A zero (0) indicates an IBSS system (that is, it indicates a non-ESS type network) and potentially unauthorized system on your network. In addition, the next-to-last bit in the Capability Info field indicates the type of network. A one (1) indicates an IBSS system. These fields are shown in Figure 11-4.
Figure 11-4:
Beacon
packet
information
indicating
an IBSS
(ad-hoc)
system.
ߜ Look for default SSIDs such as these:
• default (common in D-Link APs)
• tsunami (common in Cisco APs)
• comcomcom (common 3COM APs)
• wireless (common in Linksys APs)
• intel, linksys, and so on (need we say more?)
18_597302_ch11.qxd 8/4/05 6:58 PM Page 183
Chapter 11: Unauthorized Wireless Devices
183
Such SSIDs could indicate unauthorized systems on your network, especially if you’re using a specific SSID that makes these odd ones really stand out.
ߜ Also look for odd or strange-looking SSIDs, such as these:
• LarsWorld
• boardroom
• CartmansCubicle
• monkeybusiness
• HakAttak
• reception
ߜ Unauthorized vendor hardware, especially those that show up as User-defined or Fake (as shown in Figure 11-5).
Figure 11-5:
NetStumbler
capture,
showing
what
appears to
be unautho-
rized vendor
hardware.
ߜ Be on the lookout for MAC addresses that don’t belong.
ߜ You may also encounter network and protocol issues such as these:
• Odd or unsupported protocols (such as those for non-WEP traffic)
• Systems with consistently weak radio signals (low signal-to-noise ratios)
• Excessive numbers of packets transmitted at slower speeds
• Excessive DHCP requests or broadcasts
• Wireless network transmissions occurring during off-hours
• Excessive transmission retries
• Communications on different wireless channels
• Excessive CRC errors
We cover network and protocol issues like these in Chapters 12 and 13.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 184
184 Part III: Advanced Wi-Fi Hacks
Although these wireless device characteristics are not a guarantee that you’ve got unauthorized systems on your network, they can be a good indicator and proof that you need to probe further. Keep in mind that just because you find what appear to be unauthorized wireless systems on your network, you’ve still got to figure out if they’re actually in your building. If your organization has a standalone facility or campus, with no other buildings around, odds are the devices are on your network. However, if you share a building with other organizations, there’s always a chance that the wireless devices you find are someone else’s — and purely legitimate. This helps emphasize why you need to know your network — what’s allowed, who’s on it, etc.
Searching for unauthorized systems is often a matter of timing and luck. You may find nothing during some walkthroughs and several unauthorized systems during others. If at first you don’t find anything suspicious, keep checking: The unauthorized system could be temporarily powered off at the time of your search.
Before we get started on using wireless software to track down unauthorized systems on your network, we thought it’d be a good time to mention a neat hardware solution for doing the same thing. This device is the handheld (actually key-chain-sized) WIFI Signal Locator by Mobile Edge (www.mobile edge.com). It’s designed to determine whether a wireless hot-spot is in your vicinity, but you can also use it to sniff out unauthorized systems in your building as well.
Wireless Client Software
In Chapter 5, we demonstrated how you can use the basic wireless-network software built in to Windows XP to search for wireless systems. However, this method limits the amount of information you can ferret out when you’re performing an extensive scan. The next best thing to use is the wireless client management software — such as ORiNOCO’s Client Manager, Netgear Smart Wizard, and so on — that comes with your wireless NIC.
Figure 11-6 shows ORiNOCO’s Client Manager discovering an ad-hoc network that’s utilizing channel 6 for communication.
You may find a similar unauthorized system on your network. Unless your security policy allows users to have ad-hoc wireless devices (it doesn’t, right?), the first tipoff that trouble’s afoot would be the fact that you’ve got an ad-hoc network running. Also, you may have all your wireless systems set up to utilize another channel by default (such as channel 1) — so communications on channel 6 could indicate that this ad-hoc system is unauthorized.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 185
Chapter 11: Unauthorized Wireless Devices
185
Figure 11-6:
ORiNOCO’s
Client
Manager,
showing
an unau-
thorized
peer-to-
peer
(ad-hoc)
network.
Figure 11-7 shows Client Manager discovering an AP with a weak signal. (The weak signal is indicated by the small yellow bar in the SNR column.) Figure 11-7:
Site
Manager,
showing an
AP with a
weak signal.
A weak signal can also indicate that you’ve got an authorized system that’s far away or (cue the sinister music) that someone has turned the signal down on it and is trying to keep it hidden. You can walk around your office or
18_597302_ch11.qxd 8/4/05 6:58 PM Page 186
186 Part III: Advanced Wi-Fi Hacks
campus using a utility such as Site Manager to see whether signal strength improves. If it does, you’ve likely narrowed down its location, so it’s time to look into it further. If the signal doesn’t improve, the AP may belong to someone else — but you still may have an unauthorized system on your hands.
As you can see in Figure 11-8, some client-manager software shows more detail than others. Notice how Netgear’s Smart Wizard utility also shows signal strength, MAC address, and which 802.11 technology is being used — in this case, 802.11g.
Figure 11-8:
Netgear’s
Smart
Wizard
utility,
showing
an unau-
thorized
peer-to-
peer
(ad-hoc)
network.
Later in this chapter, we show you how you can use the MAC address of an ad-hoc system — along with a network analyzer — to track down specific IP addresses and protocols being used on the network.
Stumbling Software
The next step up, so to speak, in software you can use to detect unauthorized wireless devices is stumbling software such as NetStumbler and Kismet. Since we’ve already outlined how to use these programs in previous chapters, we’ll spare you a repetition of those details. What’s important to note here is the specific information you can find with a program such as NetStumbler.
Wireless network analyzers and monitoring tools such as AiroPeek and NetStumbler put your wireless NIC in promiscuous monitoring mode to capture all packets. This will effectively disable any other wireless communication (Internet, e-mail, network browsing, etc.) for that computer until you close out the program.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 187
Chapter 11: Unauthorized Wireless Devices
187
For starters, you can use NetStumbler to find unauthorized ad-hoc devices on your network. If you come across quite a few ad-hoc systems like the devices labeled Peer in Figure 11-9, you could be in for some trouble.
Figure 11-9:
NetStumbler
showing
several
unautho-
rized ad-
hoc clients.
In the next section, we outline how you can use a network analyzer to determine whether the ad-hoc systems you find are attached directly to your network.
When using NetStumbler — or any wireless stumbling or analyzer software —
the color of the indicator lights ranges from gray (no or minimal signal) all the way to green (strongest signal). This can tell you how close you are to the device in question.
In Figure 11-10, NetStumbler has found two potentially unauthorized APs. The ones that stand out are the two with SSIDs of BI and LarsWorld. Notice how they’re running on two different channels, two different speeds, and are made by two different hardware vendors. Also, the ad-hoc system with vendor type “User-defined” looks suspicious as well. If you know what’s supposed to be running on your wireless network, these devices really stand out as unauthorized.
Figure 11-10:
NetStumbler
showing
unautho-
rized APs.
You may remember from previous chapters that NetStumbler performs active probing of wireless systems. This means that if any APs are configured to
18_597302_ch11.qxd 8/4/05 6:58 PM Page 188
188 Part III: Advanced Wi-Fi Hacks
disable beacon broadcasts — and thus disregard probe requests coming in from clients — then NetStumbler won’t see them. Well, it’ll see the AP along with its MAC address and associated radio information, but it won’t see the SSID. Figure 11-11 shows what this looks like. Notice you can see everything about the Cisco AP but the SSID.
Figure 11-11:
A Cisco
AP with
a hidden
SSID in Net-
Stumbler.
If you really need to see SSIDs that are “disabled”, you can use the essid_
jack hacking tool (outlined in Chapter 8) to create a client-to-AP re-association scenario that forces the SSID to be broadcast. Perhaps an easier way is simply to use a passive monitoring tool such as Kismet or a network analyzer.
Network-Analysis Software
Network analyzers, or sniffers, are great tools for seeking out rogue wireless equipment. Most network analyzers allow you to identify unauthorized systems — and can track down other information such as their IP addresses, what type of data they’re transmitting, and more. Kevin’s a little biased toward the ease-of-use offered by commercial analyzers, but many freeware and open-source tools will work just as well. Whatever your usability prefer-ences, you can use network-analysis information to determine whether the systems you’ve detected are actually connected to your network — or if they’re merely legitimate systems down the street or on the floor above.
Regardless of which network analyzer you use, you can still perform most of the basic functions we cover in this section.
Browsing the network
When seeking rogue wireless equipment with a network analyzer, we start out using AiroPeek NX to create what it calls a Peer Map. This map, shown in Figure 11-12, is essentially a physical layout of all wireless devices it can detect. When you know which wireless systems are out there talking, you’re already on the trail of the rogues.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 189
Chapter 11: Unauthorized Wireless Devices
189
Figure 11-12:
AiroPeek
NX Peer
Map,
showing the
physical
layout of
surrounding
wireless
devices.
AiroPeek NX also has a feature it calls Expert analysis, which you can use to look for wireless anomalies (for example, ad-hoc clients and APs that don’t belong). You simply load the program and select the Expert tab. Figure 11-13
shows the output of an Expert capture, along with its findings.
Notice that during this session, AiroPeek NX has found two rogue APs and 22
rogue ad-hoc clients! It can also find other helpful information such as APs that don’t require WEP and those that are broadcasting their SSIDs.
AiroPeek and AiroPeek NX come with a security audit template called Security Audit Template.ctf that you can load to search for specific wireless security problems. This template can be loaded by simply clicking File/New From Template.
When performing a regular packet capture (such as the one shown in Figure 11-14), AiroPeek NX also points out wireless anomalies in the Expert column at the right. Notice that it found both ad-hoc clients and APs that don’t belong. These functions can be helpful for pointing out the larger-scale security issues when you’re scrolling through the seemingly overwhelming slew of packets you typically capture during a session.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 190
190 Part III: Advanced Wi-Fi Hacks
Figure 11-13:
AiroPeek
NX Expert
analysis,
showing
unau-
thorized
wireless
devices.
Figure 11-14:
AiroPeek
NX, point-
ing out
anomalies
during
a basic
packet
capture.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 191
Chapter 11: Unauthorized Wireless Devices
191
It’s these types of features combined with general ease of use that make commercial tools such as AiroPeek NX and its sister application AiroPeek stand out. AiroPeek is discussed in greater detail in Chapter 8.
Probing further
In the previous sections, we outlined how to determine which wireless systems are transmitting radio signals in and around your organization. But how do you know if they’re benign systems belonging to someone else outside your organization or are actually unauthorized systems connected to your network. There’s one obvious way to find these systems — walk around and look for them. However, this may not be practical, especially if you have a large number of wireless devices or you’re having trouble spotting them.
Let’s look at how you can determine if an ad-hoc device is connected to your network. It’s actually pretty simple by following these steps: 1. Track down the MAC address of the system in question.
In this example, the system we want to check out is the one with the Philips Components address (as shown in Figure 11-15). We view this system by clicking the Nodes tab in AiroPeek NX. Note that AiroPeek NX
displays the NIC vendor name in place of the first three bytes of the MAC
address. (We’ve hidden the last three bytes just to provide our personal MACs some privacy.)
Figure 11-15:
Using
AiroPeek
NX to find
the MAC
address of
an ad-hoc
system in
question.
2. Find the MAC address in the packets you’ve captured.
In AiroPeek NX, this simply involves switching to the Packets view by clicking the Packets tab and performing a hex search (by pressing Ctrl+F
18_597302_ch11.qxd 8/4/05 6:58 PM Page 192
192 Part III: Advanced Wi-Fi Hacks
in AiroPeek NX) for the MAC address within the packets. In this example, dozens of packets were discovered; to keep things simple, we filtered out the unneeded management frames (beacons, probe requests, and so on) and focused on the IP-based traffic shown in Figure 11-16.
Figure 11-16:
Displaying
pertinent
IP-based
packets
in Airo-
Peek NX.
3. Determine whether the associated IP address and protocols point to your network.
In this case, we found that the Philips Components MAC address has an IP address of 192.168.1.3. Now that you know the IP address, the next question is, Is it a valid address on your network? You may be surprised.
Figure 11-16 shows this address, along with some interesting traffic —
a PING Request and NB Name Svc broadcasts. This system is pinging another system (192.168.1.1 in this case) and appears to be a Windows-based computer — hence the NB (NetBIOS) broadcasts that tell the network I’m here.This type of traffic — especially if you know your users would never initiate it — could indicate an unauthorized system.
If you find a MAC address and you’re not sure whether it belongs on your system, you can track down its IP address by matching it up to the IP-MAC
address findings in SoftPerfect’s Network Scanner (www.softperfect.
com/products/networkscanner). This is a great way to match up MAC
addresses to IP addresses and see if a system is on your network, and it’s a lot quicker and simpler than performing reverse ARP lookups.
This test is not 100 percent foolproof, but it’s a great test to run nonetheless.
You can also use this method to determine whether unauthorized APs are connected to your network.
18_597302_ch11.qxd 8/4/05 6:58 PM Page 193
Chapter 11: Unauthorized Wireless Devices
193
Additional Software Options
In addition to using the wireless-client, stumbling, and network-analysis software mentioned here, you have some additional ways to search for wireless devices that don’t belong. For example, some basic port-scanning and vulnerability-assessment tools can give you useful results. Here’s a quick list: ߜ SuperScan
ߜ GFI LANguard Network Security Scanner
ߜ Nessus
ߜ NeWT
ߜ QualysGuard
These programs aren’t wireless-specific but they may be able to turn up wireless-device IP addresses and other vulnerabilities that you wouldn’t have been able to discover otherwise.
Online Databases
One more place to look for unauthorized wireless systems is the Internet.
(Well, yeah . . .) Up to this point, we’ve mentioned several Web sites you can browse to and query to see whether your “authorized” wireless devices have been made public — as in, plastered all over the Net. Well, you can also use these databases to search for unauthorized systems as well. If you know the exact GPS coordinates of your building, you can perform a detailed lookup in WiGLE’s database at
www.wigle.net/gps/gps/GPSDB/query
to see whether any systems in your vicinity have been posted. If you don’t mind sorting through entries by, city, state, or Zip code, you can also check out www.wifimaps.com and www.wifinder.com to see what you can find.
Unauthorized System Countermeasures
The countermeasures necessary to help prevent unauthorized wireless devices are similar to those we’ve discussed up to this point. They are: 18_597302_ch11.qxd 8/4/05 6:58 PM Page 194
194 Part III: Advanced Wi-Fi Hacks
ߜ First and foremost, implement a reasonable and enforceable wireless security policy that forbids unauthorized wireless devices — and actually enforce it.
ߜ Use stumbling software or a network analyzer to monitor for network changes and systems that don’t belong.
ߜ Use a full-fledged wireless intrusion-detection system (WIDS) or network-monitoring system that can find wireless network anomalies, prevent bad things from happening, and alert you in real time. Control access to authorized wireless devices only by one or more of the following:
• MAC address
• SSID
• Communications channel used
• Hardware vendor type
19_597302_ch12.qxd 8/4/05 7:09 PM Page 195