Home page logo

pen-test logo Penetration Testing mailing list archives

RE: How to track down a wireless hacker
From: cwright () bdosyd com au
Date: 11 Nov 2007 23:38:45 -0000

 “Of course you can track a wireless attacker due the fact that he is broadcasting a trackable signal”.

First, it is not necessary to broadcast to monitor wireless traffic. The attacker can remain passive. Passive 
monitoring does make a discernable variation in the RSSI, but I do not see the resources being deployed for this reason 
(and we are talking well into the 6 figures for this).

So let’s address this in detail.
To do so, let’s look at the threats first, we have:
-       Friendly – unprotected wireless networks deployed in ignorance.
-       Malicious – This is either a malicious rouge attacker or a planted rouge network or AP.
-       Unintended – Equipment deployed without authorisation and likely incorrectly configured (this group commonly 
includes Infrastructure rogues).

The friendly and unintended threats are easy to find. They will either be an AP or wireless card in the local 
proximity. These are easy to trace. As such we can ignore these for the purpose of this post.

There are a variety of means to discover rogues on the wireless network. These include:
1       Wired-side AP fingerprinting
2       Wired side MAC prefix analysis
3       Wireless-side warwalking
4       Wireless-side client monitoring
5       Wireless-side WLAN IDS

If your intention is to test your own mal-functioning or mis-configured equipment on your network, then there is no 
crime. If you know it is not your device and you attack it in full knowledge, then a crime is the result. For example, 
you can run a Nessus AP Fingerprint Scan on your own (or what you believe is your own) equipment with impunity 
(assuming permissions and rights).

In the case of an attacker external to the network, we can ignore options 1 and 2. If the attack was a rogue device (an 
AP for instance) on the wired-side network, scanning is legally ok. The scanning of your own equipment is an acceptable 
legal option. This still does not allow the right to actively attack the device on discovering it is a rogue. This is a 
matter of intention. 

As for Wireless-side analysis… This is easy to do, but it is time consuming, error prone (there is a low risk of 
false-negatives and a good chance of false positives) and is likely to bypass or incorrectly correlate moving targets. 
Kismet will allow you to save filters based on the BSSID’s and MAC addresses discovered. Kismet would then be 
configured to ignore all authorised networks. This allows the creation of a baseline. The baseline allows for the 
alerting of exceptions – that is unauthorised AP’s.
AiroPeek NX is a commercial option for those companies that do not like to use open source software. Either method is 
time consuming and requires an audit for a “point in time” event. Warwalking can not be set to wait and report on 

AirWave RAPIDS is a commercial option to conduct both wired-side and wireless-side monitoring and assessment. It 
monitors and reports on wireless activity and flags (and alerts) new networks as potential rogue AP’s. This is an 
expensive option with a license required for all clients. There are also issues. Either poor monitoring facilities will 
result or wireless networking will be impacted for the hosts.

There are Wireless-side LAN IDS deployments. Aruba is an example. Again these are costly and require that a sensors is 
deployed at all facilities using wireless (and if you really want to be safe those that do not as well).
None of this helps us find the rogue – we only find out that one may exist.

So how can we discover the rogue you ask finally?
First there is a manual analysis process using the signal-to-noise ratios (SNR). SNR is maximised when the devices are 
associated. In this, the idea is to map the SNR and locate the antenna (note the antenna and not the rogue itself).  
These techniques rely heavily on guess-work. Kismet and a GPS will help.

Directional analysis makes this a little easier. This requires a directional antenna and RSSI (Radio Signal Strength 
Information which is the signal and noise levels associated with a wireless device). Channel hoping should be disabled 
when doing this and it is essentially a matter of trial and error.

Rapfinder (open source) is a tool that aids in this process. AirMagnet is a commercial tool (handheld) that is designed 
to locate the source of the radio signal (as you get closer the clicks increase in frequency like a Geiger counter). 
Next we get to triangulation. Even this is not 100% accurate due to RF interference, signal loss and radio signal 
distribution patterns (which vary based on the physical position). Aruba AirMonitor with 3 sensors will find local AP’s 
with a fair degree of accuracy. 

However, this takes us to the point. An attacker is not always going to be placed locally. The range with a good yaggi 
high gain antenna is a radius of over 10km. That is over 300 square km. So have fun searching, it is about 30,000 
households, businesses etc ... 

It is not a flippantly easy task to track a wireless attacker. People get lucky, this is about how it works.

Craig Wright (GSE-Compliance)


From: Jan Heisterkamp [mailto:]
Sent: Mon 12/11/2007 1:55 AM
To: ep
Cc: Craig Wright; pen-test () securityfocus com
Subject: Re: How to track down a wireless hacker
I lost who started this thread.
Of course you can track a wireless attacker due the fact that he is
broadcasting a trackable signal and you can do it pretty accurate. But
he question behind is "And then?"

What will you do?
If the attacker is in house you might have to close all the doors, call
the security stuff and confiscate all the laptops running wireless. The
attacker goes arested and the rest of the user will take their case to
the court, sueing you for damages.
If the attacker is, let us say in a car in the street and you have
tracked and localized him what are you able to do?
You can't touch him, neither arrest him, you have no legal right to do
so; probably you will se the attackers golden finger he hits the road.

The energy you are wilt to afford to track this freak down you had
better spent before in securing your Network.
It's a fact, that you messed it up and not he.
I guess there is waiting some homework for you...


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]