Previous Page
Next Page

Chapter 4: 802.11 Discovery

Before you can begin hacking a wireless network, you've got to locate one. There are quite a few different tools to accomplish this, but they all fall into one of two major categories, passive and active. Passive tools are designed to monitor the airwaves for any packets on a given channel. They analyze the packets to determine what clients are talking to which access points. Active tools are more rudimentary and send out probe request packets hoping to get a response. Knowing and choosing your tools is an important step in auditing any wireless network. This chapter covers the basic principles of the software and hardware required for network discovery, along with some practical concerns for war driving. The next chapter will delve into the details of the major tools available today. But first you need to understand the basics of active and passive scanning to discover wireless networks.

DISCOVERY BASICS

Depending on your platform, your choice of wireless discovery tools changes immensely. By far the most popular discovery tool on Windows is NetStumbler. NetStumbler is free, easy to use, and supports most of the wireless cards you throw at it. You'll see shortly that relative to other more advanced, passive tools, NetStumbler falls quite short. On OS X, the most popular tool is Kismac. Despite the similar name, Kismac shares no code with Kismet, the most popular UNIX scanner. Your tools, however, are only as good as the hardware you use. Once the basics of active and passive scanning are covered, chipset features and device driver features are presented as well.

Active Scanning

Popularity:

10

Simplicity:

8

Impact:

1

Risk Rating:

6

Tools that implement active scanning periodically send out probe request packets. These packets are used by clients whenever they are looking for a network. Clients may send out targeted probe requests ("Network X, are you there?"), as shown in Figure 4-1. Or they may send out broadcast probe requests ("Hello, is anyone there?"), as shown in Figure 4-2. Probe requests are one of two techniques the 802.11 standard specifies for clients to use when looking for a network to associate with. Clients can also use beacons to find a network.

Image from book
Figure 4-1: A directed probe request-note the addition of an SSID parameter.
Image from book
Figure 4-2: A typical broadcast probe request packet

Access points send out beacon packets every tenth of a second. Each packet contains the same set of information that would be in a probe response, including name, address, supported rates, and so on. It would seem likely that because these packets are readily available to anyone listening, most active scanners would be able to process them; however, this is not always true. In some cases, active scanners can access beacon packets, but not always. The details depend on the scanner in use and the driver controlling the wireless card. For details, see Chapter 5. The major drawback of active scanners is that outside of probe requests (and possibly beacons), they cannot see any other wireless traffic.

Whenever you are using Windows and click Refresh Network List, your card sends out a broadcast probe request packet. Wireless Zero Configuration (covered later) will also send out probe requests for all the networks that you are known to use. Many tools that implement active scanning will only be able to locate networks that your operating system could have found on its own (in other words, the ones that show up on your list of available networks), putting them at a significant disadvantage to tools that implement passive scanning.

Passive Scanning (Monitor Mode)

Popularity:

7

Simplicity:

5

Impact:

5

Risk Rating:

6

Tools that implement passive scanning generate considerably better results than tools that use active scanning. Passive scanning tools don't transmit packets themselves; instead, they listen to all the packets on a given channel and then analyze those packets to see what's going on. These tools have a much better view of the surrounding network(s). In order to do this, however, the wireless card needs to support what is known as monitor mode.

Putting a wireless card into monitor mode is similar to putting a normal wired Ethernet card into promiscuous mode. In both cases, you see all the packets going across the "wire" (or channel). A key difference, however, is that when you put a wired card into promiscuous mode, you are sure to see traffic only on the network you are plugged into. This is not the case with wireless cards. Because the 2.4-GHz spectrum is unlicensed, it is a shared medium. That means you can have multiple overlapping networks using the same channel. If you and your neighbor share the same channel, when put your card into monitor mode to see what's going on in your network, you will see her traffic as well.

Another key difference between wireless cards and wired cards is that promiscuous mode on an Ethernet card is a standard feature. Monitor mode on a wireless card is not something you can simply assume will be there. For a given card to support monitor mode, two things must happen. First, the chipset in the card itself must support this mode (more on this in the "Chipsets" section, later in this chapter). Second, the driver that you are using for the card must support monitor mode as well. Clearly, choosing a card that supports monitor mode (perhaps across more than one operating system) is an important first step for any would-be wireless hacker.

A short description of how passive scanners work might help to dispel some of the magic behind them. The basic structure of any tool that implements passive scanning is straightforward. First, it either puts the wireless card into monitor mode or assumes that the user has already done this. Then the scanner sits in a loop, reading packets from the card, analyzing them, and updating the user interface as it determines new information.

For example, when it sees a data packet containing a new BSSID, it updates the display. When a packet comes along that can tie an SSID (network name) to the BSSID, it will update the display to include the name. When the tool sees a new beacon frame, it simply adds the new network to its list. Passive tools can also analyze the same data that active tools do (probe responses); they just don't send out probe requests themselves.

Active Scanning Countermeasures

Luckily, evading an active scanner is relatively simple. Active scanners can only process two types of packets, probe replies and beacons, which means the access point (AP) has to implement two different techniques to hide from an active scanner effectively.

The first technique consists of not responding to probe requests that are sent to the broadcast SSID. If the AP sees a probe request directed at it (if it contains its SSID), then it responds. If this is the case, then the user already knows the name of the network and is just looking to connect. If the probe request is sent to the broadcast SSID, the AP ignores it.

If an AP were not to respond to broadcast probe requests but could still transmit its name inside beacon packets, it would hardly be considered well hidden. Generally, when an access point is configured not to respond to broadcast probe requests, it will also "censor" its SSID in beacon packets. Access points that do this include the SSID field in the beacon packet (it's mandatory according to the standard), but they simply insert a few null bytes in place of the SSID.

Both of these abilities are built in to most APs. There is, unfortunately, no standardized name for these features; some vendors refer to this mode as cloaked, closed, or private mode. Other venders simply have a checkbox next to Broadcast SSID. On recent versions of Linksys' AP, this feature is on the basic Wireless Settings menu. Generally, the AP provides only one switch to disable broadcast probe responses as well as censor the SSID field in beacons. This is because one without the other is very ineffective.

You might think that perhaps the best way to hide an AP would be to disable beacons altogether. This way, the only time there is traffic on the network is when clients are actually using it. Actually you can't disable beacons completely; the beacon packets that an AP transmits have functions other than simply advertising the network. If an AP doesn't transmit some sort of beacon at a fixed interval, the entire network breaks down.

Detailed examples of these countermeasures and their effects on legitimate clients and stumblers alike are examined in Chapter 6. Don't forget, if an active scanner can't figure out the name of a network, then legitimate clients can't either. Running a network in "closed" or "hidden" mode requires more maintenance (or user know-how) on end-user stations. In particular, users must know what network they are interested in and somehow input its name into their operating system.

Passive Scanning Countermeasures

Evading a passive scanner is an entirely different problem than evading an active scanner. If you are transmitting anything on a channel, a passive scanner will see it. You can take a few practical precautions to minimize exposure, however. First, the precautions taken for active scanners are still a good idea to implement. When a passive scanner comes across a hidden network, the scanner will see the censored beacon packets and know that a network is in the area; however, they will not know the network's SSID. Details on how to get the name of a hidden network when using a passive scanner are covered in Chapter 6.

If your AP supports it, and you have no legacy 802.11b clients, disable mixed mode on your AP. This causes all data packets the AP transmits to use 802.11g encoding. Unfortunately, beacons and probe responses are usually sent with 802.11b encoding, but not giving up data packets to all the war drivers who are still using prism2 cards is a good idea.

The other option is to put your network into the 5-GHz 802.11a band. Many war drivers don't bother scanning this range because most networks operate at 2.4-GHz, and the attackers only want to buy one set of antennas. Cards that support this range are also more expensive.

Finally, intelligent antenna placement can do a lot to minimize the range of your signal. Of course, none of these precautions can keep your network hidden from anyone who is seriously interested in finding it.

Frequency Analysis (Below the Link Layer)

Popularity:

3

Simplicity:

5

Impact:

1

Risk Rating:

3

A card in monitor mode will let you see all of the 802.11 traffic on a given channel, but what if you want to look at a lower level? What if you simply want to see if anything is operating at a given frequency (or 802.11 channel)? Maybe you think your neighbor somehow shifted his network onto channel 13 (something you shouldn't be able to do for legal reasons inside the U.S.), and you want to know for sure so you can ask how he did it. Maybe you want to know exactly where your (or, perhaps more importantly, your neighbor's) microwave, cordless phone, baby monitor, and so on, is throwing out noise so you can relocate your network accordingly. Well, now for $100, you can.

Recently, a company called MetaGeek introduced a product called Wi-Spy (see Figure 4-3). It's a 2.4-GHz frequency analyzer that plugs into a USB port and comes bundled with Windows-only software. Fortunately MetaGeek has been cooperating with dragorn (of Kismet fame), who has pretty much reimplemented the Windows functionality using gtk. This means that dragorn's WiSPY tools can be used on OS X and Linux. Currently, WiSPY tools are under heavy development and may take some tweaking to get working correctly. Luckily, it appears that steady progress is being made and a stable release seems reasonable to expect Real Soon Now.

Image from book
Figure 4-3: Wi-Spy in action. Note the relative quiet at the high end of the spectrum-the area that represents traffic on channels 12 and 13. There is nothing on these channels because this screenshot was taken inside the U.S. where these channels cannot be used.

Frequency Analysis Countermeasures

The only real solution to preventing your traffic from being seen using a 2.4-GHz frequency analyzer is to move it to the 5-GHz 802.11a band. That, or start running a lot of cables. Frequency analyzers are available for the 5-GHz spectrum as well, but they are expensive and hard to use. Since no one has released one with a convenient USB interface yet, it is probably safe to assume only the most dedicated attacker will have a 5-GHz analyzer at her disposal.


Previous Page
Next Page