mailing list archives
RE: How to track down a wireless hacker
From: cwright () bdosyd com au
Date: 11 Nov 2007 23:38:45 -0000
Of course you can track a wireless attacker due the fact that he is broadcasting a trackable signal.
First, it is not necessary to broadcast to monitor wireless traffic. The attacker can remain passive. Passive
monitoring does make a discernable variation in the RSSI, but I do not see the resources being deployed for this reason
(and we are talking well into the 6 figures for this).
So lets address this in detail.
To do so, lets look at the threats first, we have:
- Friendly unprotected wireless networks deployed in ignorance.
- Malicious This is either a malicious rouge attacker or a planted rouge network or AP.
- Unintended Equipment deployed without authorisation and likely incorrectly configured (this group commonly
includes Infrastructure rogues).
The friendly and unintended threats are easy to find. They will either be an AP or wireless card in the local
proximity. These are easy to trace. As such we can ignore these for the purpose of this post.
There are a variety of means to discover rogues on the wireless network. These include:
1 Wired-side AP fingerprinting
2 Wired side MAC prefix analysis
3 Wireless-side warwalking
4 Wireless-side client monitoring
5 Wireless-side WLAN IDS
If your intention is to test your own mal-functioning or mis-configured equipment on your network, then there is no
crime. If you know it is not your device and you attack it in full knowledge, then a crime is the result. For example,
you can run a Nessus AP Fingerprint Scan on your own (or what you believe is your own) equipment with impunity
(assuming permissions and rights).
In the case of an attacker external to the network, we can ignore options 1 and 2. If the attack was a rogue device (an
AP for instance) on the wired-side network, scanning is legally ok. The scanning of your own equipment is an acceptable
legal option. This still does not allow the right to actively attack the device on discovering it is a rogue. This is a
matter of intention.
As for Wireless-side analysis
This is easy to do, but it is time consuming, error prone (there is a low risk of
false-negatives and a good chance of false positives) and is likely to bypass or incorrectly correlate moving targets.
Kismet will allow you to save filters based on the BSSIDs and MAC addresses discovered. Kismet would then be
configured to ignore all authorised networks. This allows the creation of a baseline. The baseline allows for the
alerting of exceptions that is unauthorised APs.
AiroPeek NX is a commercial option for those companies that do not like to use open source software. Either method is
time consuming and requires an audit for a point in time event. Warwalking can not be set to wait and report on
AirWave RAPIDS is a commercial option to conduct both wired-side and wireless-side monitoring and assessment. It
monitors and reports on wireless activity and flags (and alerts) new networks as potential rogue APs. This is an
expensive option with a license required for all clients. There are also issues. Either poor monitoring facilities will
result or wireless networking will be impacted for the hosts.
There are Wireless-side LAN IDS deployments. Aruba is an example. Again these are costly and require that a sensors is
deployed at all facilities using wireless (and if you really want to be safe those that do not as well).
None of this helps us find the rogue we only find out that one may exist.
So how can we discover the rogue you ask finally?
First there is a manual analysis process using the signal-to-noise ratios (SNR). SNR is maximised when the devices are
associated. In this, the idea is to map the SNR and locate the antenna (note the antenna and not the rogue itself).
These techniques rely heavily on guess-work. Kismet and a GPS will help.
Directional analysis makes this a little easier. This requires a directional antenna and RSSI (Radio Signal Strength
Information which is the signal and noise levels associated with a wireless device). Channel hoping should be disabled
when doing this and it is essentially a matter of trial and error.
Rapfinder (open source) is a tool that aids in this process. AirMagnet is a commercial tool (handheld) that is designed
to locate the source of the radio signal (as you get closer the clicks increase in frequency like a Geiger counter).
Next we get to triangulation. Even this is not 100% accurate due to RF interference, signal loss and radio signal
distribution patterns (which vary based on the physical position). Aruba AirMonitor with 3 sensors will find local APs
with a fair degree of accuracy.
However, this takes us to the point. An attacker is not always going to be placed locally. The range with a good yaggi
high gain antenna is a radius of over 10km. That is over 300 square km. So have fun searching, it is about 30,000
households, businesses etc ...
It is not a flippantly easy task to track a wireless attacker. People get lucky, this is about how it works.
Craig Wright (GSE-Compliance)
From: Jan Heisterkamp [mailto:]
Sent: Mon 12/11/2007 1:55 AM
Cc: Craig Wright; pen-test () securityfocus com
Subject: Re: How to track down a wireless hacker
I lost who started this thread.
Of course you can track a wireless attacker due the fact that he is
broadcasting a trackable signal and you can do it pretty accurate. But
he question behind is "And then?"
What will you do?
If the attacker is in house you might have to close all the doors, call
the security stuff and confiscate all the laptops running wireless. The
attacker goes arested and the rest of the user will take their case to
the court, sueing you for damages.
If the attacker is, let us say in a car in the street and you have
tracked and localized him what are you able to do?
You can't touch him, neither arrest him, you have no legal right to do
so; probably you will se the attackers golden finger he hits the road.
The energy you are wilt to afford to track this freak down you had
better spent before in securing your Network.
It's a fact, that you messed it up and not he.
I guess there is waiting some homework for you...
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
- RE: How to track down a wireless hacker, (continued)