Auditing Your Airspace

Tony Howlett

Product vendors have heralded 802.11b wireless networks as the best thing since sliced bread. Indeed, wireless networking can simplify creating on-the-fly networks and working around hairy cabling issues. Conferences and conventions now regularly offer Internet access to attendees by simply connecting them to a wireless LAN. Laptop users within a building can go truly mobile, connecting from conference rooms and other heretofore-unconnected spaces. Wireless networks even let home users network all their computers without having to climb around the attic to run Cat 5 cable or understand how to crimp a 10Base T connector. Wireless networks also offer departmental managers the ability to add nodes without all the IT "red tape".

However, from a systems or network administrator's standpoint, wireless networks can seriously affect the security of a local area network. A single mis-configured or hidden wireless node can compromise an entire corporate network by offering an intruder or unauthorized user access to your network, bypassing all the firewalls and other defenses. This circle of vulnerability extends beyond the distance for which wireless LANs are typically rated. Wireless LAN transmissions can be picked up as far away as a mile with a parabolic antenna, and some Internet sites show how to make such an antenna from supplies such as a Pringles can and some PVC.

Wireless LANs aren't going away, so systems administrators must decide how to manage them safely and effectively. If you ban the devices on your network, someone will still try to attach a node. If you do allow wireless LANs, they must be properly secured or all your data will be vulnerable. Furthermore, the wireless encryption standard, WEP (Wired Equivalent Privacy), is fundamentally flawed because a small percentage of the keys it produces are cryptographically weak. By collecting enough of these keys, it is possible to crack the encryption and listen to the transmissions in the clear.

Tools such as WEPCrack and AirSnort can automate this process and crack WEP almost in real time, leading to the hacker pastime of "war-driving" or "net-stumbling". Similar to the war dialing that hackers used in the '80s to find live modem ports, hackers now drive around with a laptop and a wireless adapter looking for unsecured wireless LANs. Thus, it's time to do some "net-stumbling" of your own and audit your airspace. All you need is a spare machine loaded with Linux (kernel 2.4.X or higher) and an inexpensive wireless adapter. Then you need to select your net-stumbling program, which will allow you to reconnoiter your perimeter looking for your wireless LANs, cataloging them, and testing their security.

Auditing Tools

For the UNIX world, there are several choices. Airosniff and Prism2Dump run under FreeBSD. If you have a little extra money in your budget, you can choose a commercial product, such as Airopeek, Grasshopper, or Sniffer Wireless, which may be a little better supported. At my company, we chose Kismet, an open source program by Mike Kershaw. We chose it for the following reasons: the price is right, it runs under Linux, and it seems to be the most stable of the non-commercial packages.

The type of Wireless LAN card that you pick will determine which software you can use. The Prism2 chip set seems to be the best supported and is used by most consumer model cards such as LinkSys, Dlink, NetGear, and Compaq. If you are using a Prism2 card, you must download the wlan-ng driver, available at http://www.wlan-ng.org. Cisco Aironet, Orinoco, and some others are Linux wireless cards, and the standard libpcap library can be used for these. Kismet supports both types of cards, but you must still be careful to pick a card that is supported by your software package. For a list of cards supported by Kismet, check the Web site at http://www.kismetwireless.com.

If you pick a card that's not listed on the Kismet site, it may work but you might also spend days fixing it. For example, I chose a Linksys USB card (WUSB11), thinking that since the WPC11 Linksys card was supported, this one would be too. After days of frustration, I found out that the early version of the WUSB11 used a different chipset than the WPC11 card. The USB card also didn't support many of the functions needed to do packet sniffing.

You'll also want to get a couple of other programs, some of which are required and others that just simplify your work. The libpcap packet capture libraries (available at http://www.tcpdump.com) are required if you are going to use a Linux wireless card. Ethereal is an excellent open source Ethernet sniffer that works directly with Kismet to analyze the output from your sessions. Use the -with-ethereal=PATH directive where PATH is the path to your Ethereal source when running configure to build in Ethereal support.

Kismet also has built-in GPS support so, if you have a laptop-attachable GPS receiver, you can log the exact location of your readings (useful for building a model of your "wireless perimeter"). To use GPS readings, you will need the GPS daemon, gpsd, found at http://www.russnelson.com/gpsd. You also may want the Airsnort and Wepcrack programs (http://airsnort.sourceforge.net and http://wepcrack.sourceforge.net) if you plan to analyze your packets to see whether your encryption can be cracked. Kismet produces output that is compatible with both programs.

Setting up Kismet

Once you've downloaded and installed the appropriate driver, you must test it. Make sure that everything is working properly by setting up an interface (usually wlan0) and attempting to ping something downstream (assuming you have an attached base station). Next, download Kismet (http://www.kismetwireless.com). I chose the stable code, version 1.4.1, but version 1.5.0 is also available. Once you've untarred the program, run the following commands to build it:

./configure
make dep
make install (as root)

There are a lot of settings here, but the important ones are CapType and CapInterface. Select the proper type for the driver you are using (Prism2, in the case of my LinkSys card) and choose the interfaces on which it should be listening (some drivers use wlan0, eth0, or eth1). You can also change the log types that are kept.

The output is sorted into five different buckets, stored in the log files designated in your kismet.conf file. The different logs are dump, which is a simple capture of the raw packet stream. You can use Ethereal to make sense of this and get statistics on it. Network is an easier to read log of the networks found and their information. Here is a sample of the network file:

Network 1: " " BSSID: "00:02:2D:00:34:57"
 Channel: 01
 WEP : "No"
 LLC : 37
 Data : 36
 Crypt : 12
 Weak : 0
 Total : 73
 First : "Thu Jan 3 23:48:31 2002"
 Last : "Thu Jan 3 23:48:31 2002"
 Address found via ARP 172.25.0.0

Network 2: " " BSSID: "00:02:2D:00:34:8B"
 Channel: 01
 WEP : "No"
 LLC : 5
 Data : 4
 Crypt : 0
 Weak : 0
 Total : 9
 First : "Thu Jan 3 23:48:31 2002"
 Last : "Thu Jan 3 23:48:31 2002"
 Address found via ARP 172.25.0.0

Network 3: " " BSSID: "00:02:2D:00:34:97"
 Channel: 01
 WEP : "No"
 LLC : 3386
 Data : 3145
 Crypt : 1600
 Weak : 0
 Total : 6531
 First : "Thu Jan 3 23:48:31 2002"
 Last : "Thu Jan 3 23:48:31 2002"
 Address found via DHCP 172.25.101.143
  netmask 255.255.0.0 gw 172.25.1.1

Kismet uses an ncurses-based psuedo-GUI, which is fairly effective. However, I found that some of the characters wrapped inappropriately. They are supposedly working on a true GUI using GTK.

The screen (Figure 1) is fairly straightforward. The main window shows which networks the card can see and the information on them. Of particular interest for those auditing their wireless networks are the "Type" field and the "Crypt" field. Most corporate networks should be running in AP mode, which is infrastructure mode. The "W" field tells you whether the traffic for that network is encrypted. Again, I have mentioned some weaknesses of WEP, but running WEP is better than nothing.

At the right of Figure 1 is a statistics window, which shows an overview of all the collected data. It will show the total number of networks, the total packets, and encrypted and "weak" encrypted packets that could be subject to cracking. Don't panic if you see weak packets on your network -- the nature of WEP is that a certain number of packets are going to be weak. There's no real way around that right now.

At the bottom of Figure 1 is a status screen showing events that might be of interest -- newly found networks, networks out of range, etc. Use this screen for figuring out when you go in and out of range of your network. (If you want to do serious signal-strength analysis, there are other programs that can do more than Kismet.)

Begin Auditing

After your wireless network-auditing machine is ready, here are some effective wireless auditing strategies:

1. Load the program on a laptop. Kismet also offers support for a PDA if you have the appropriate hardware.

2. Get a card with an external antenna to help your reception, especially with some of the consumer cards that don't have any external power and tend to be pretty weak (the LinkSys is included in this category). I don't recommend making your own antennae with a Pringles can -- not only could you expose yourself to a dose of high-power radio waves, but you could interfere with other nearby signals because 2.4Ghz is in the same general range as some other commercial devices.

3. Start far out and work your way in. Start outside your building, preferably outside your building's perimeter. This is particularly important if your building is near a large freeway or commercial or residential structures. You don't want someone in an apartment across the way to be able to listen in on your corporate LAN. Drive the surrounding streets around your building and walk the perimeter in a wide circle. Obtain a map of the immediate area and draw your "wireless perimeter" on it. If you are skeptical that people are willing to do the same thing in order to surf your network, go to http://www.netstumbler.com for a roadmap of the United States showing hundreds of corporate networks that were sniffed by casual netstumblers.

4. If you are auditing for hidden internal wireless devices, put your laptop on a cart (a swivel chair works also) and push it through the entire building. You can set up Kismet to beep audibly when it discovers a new network. Go around every corner because walls could block the signal of a hidden wireless LAN.

5. If you are auditing known internal wireless LANs, Kismet will tell you whether they have WEP turned on. Although it's not 100% effective, as noted above, it's better than not having it on. You might decide not to allow wireless devices in outer offices or near windows. I recommend placing the wireless base stations as far inside your building as possible. They are much noisier from a signal standpoint than a node and also act as the gateway to your LAN. If all a netstumbler can hear is a wireless node, they can intercept the traffic from that machine, but they can't log onto your network or listen to other traffic on the LAN.

Conclusion

Wireless LANs offer convenience to users and ease of deployment to sys admins, but they also create a slew of security issues. Researchers are looking for a workaround to strengthen WEP, but it will probably involve buying new hardware. You must consider that wireless LANs open an external avenue to a machine on your network, and a hacker doesn't have to crack WEP to attempt to exploit that machine via its wireless NIC. Thus, if you are going to use wireless LAN technology within your company, know the risks, know your wireless perimeter, and make sure you are not broadcasting your corporate secrets to everyone with a cheap wireless NIC card.

Tony Howlett is President of Network Security Services, a network consulting firm (www.netsecuritysvcs.com). He was previously a founder and CTO of a regional CLEC/ISP. He holds the CISSP and GSNA titles as well as a BBA in MIS.