In: Categories » Electronics and communication » Protocols » Detecting Unauthorized 802.11 Cards and Access Points
|
The first goal is detection. Can we tell when someone powers on a card within range of the local network? This can be done with off-the-shelf components and free software. The Cisco Aironet driver included with the more recent Linux kernels supports "RF Monitor" mode, which permits promiscuous monitoring of 802.11 packets - specifically, monitoring raw 802.11 frames to detect if there are any telltale frames broadcast by a rogue access point or card. As outlined in the original 802.11 specification, there are three classes of 802.11 frames. With the goal of detecting rogue access points and unauthorized wireless ethernet cards, we are primarily interested in class 1 and 2 frames. Class 1 frames are the only frames allowed in state 1, the unauthenticated state, and are largely management frames used for authentication, beacons, and probe requests. Class 2 frames are allowed in both states 1 and 2, and are used for association and reassociation. From access points, we would expect to see a large number of beacon frames (Class 1). From unassociated Ad-hoc clients scanning in active mode, we would expect to see a large number of probe requests (also Class 1). To test this hypothesis, a method of monitoring all 802.11 management frames is needed, which the Cisco card and Linux driver are capable of in "RF Monitor mode." Setup To put the card into RF Monitor mode, any BSS (use "Mode: r" for plain RF monitor mode): # echo "Mode: y" > /proc/driver/aironet/eth0/Config # Then, start logging packets with tcpdump, saving them to a file for later analysis with ethereal: # tcpdump -i eth0 -s 0 -w capturefile # Unauthorized Ad-hoc network The first test was to confirm the ability to detect a WLAN card being powered on. A Lucent Orinoco card was configured in Ad-hoc mode on a Win2k laptop, and turned on to find out if there were any characteristic frames sent out by the Orinoco card when it was put into Ad-hoc mode. After the card initialized, tcpdump was stopped, ethereal started, and the capture file opened. A large number of probe requests from the Orinoco card were found, confirming that it was indeed possible to detect when someone within close range had powered up a wireless ethernet card in ad-hoc mode. The dissected frame was as follows:
Indeed, it is possible to tell if someone starts an actively scanning card in ad-hoc mode, and quite a bit of useful information can be gleaned from a single frame. Most relevant are the SSID and the MAC address, since they can be used to track down a particular card and/or person. Unauthorized Access Point The next test was to confirm the possibility of detecting a rogue access point. A tcpdump session was started, and then a Cisco Aironet 340 access point was turned on. After the access point had finished booting, the dump was examined with ethereal, and a large number of beacon frames sent out by the access point were found. Following is one such frame, again dissected by ethereal:
Unauthorized Client The final tested condition was unauthorized clients. The first scenario considered (the more likely scenario), is that someone brings a foreign card and powers it up with the wrong SSID. If the card was actively scanning, probe requests would be seen from this card as it attempted to find an access point. The second scenario is that someone brings a foreign card and powers it up with the correct SSID. This one turns out to be a little more problematic to detect, in that there will be only a few 802.11 management frames to trigger an alert, and then more "normal" traffic. This is problematic primarily because of the way RFMON_ANYBSS mode on the Cisco card works - despite its name, the card cannot receive packets simultaneously from all BSS's in range, especially if those BSS's use different frequencies. The consequence is that it takes some manual intervention to sniff traffic from a particular BSS - see the section below on "Problems and Complications" for more details on this problem and how to work around it. This problem was ignored and instead the focus was on the few 802.11 management frames that do show up readily in the sniffer - both scenarios turned out to produce similar probe requests, so both scenarios are treated as identical. The dissected probe request sent out by this card:
Problems and Complications A few problems came to light with the Cisco card and driver that need to be mentioned. The first problem is that the Cisco card, by default, even in RFMON and RFMON_ANYBSS modes, does not actively scan for traffic on all channels at all times. The following are the conditions under which it will rescan for BSS's:
All of these conditions will "kick" the card into rescanning. To build a practical detection device, the card should be kicked at regular intervals, perhaps every minute. A simple script to touch the BSSList file every minute will do the trick. Second problem: Not all the BSS's in range showed up reliably in the file /proc/driver/aironet/eth0/BSSList. When the card is put into RFMON mode, transmitting is disabled, so the card cannot scan actively for BSS's by sending out probe requests. Therefore, the card must use passive scanning. Instead of sending out probe requests, the card listens for beacons. Passive scans use a timer—the card will listen for beacon frames until the timer expires and then move to another channel. The problem with the Cisco card is that this timer is set too low. The default value is 40ms, which was insufficient on our test network to notice all BSS's, regardless of the range or relative signal strength of the access points. The solution was to add this line to the card initialization routine, setup_card, in airo.c: cfg.beaconListenTimeout = 120; Tripling this timeout made BSS detection work reliably. Consequently, all of our access points showed up in BSSList, all the time. Third problem: Despite its name, even putting the card in RFMON_ANYBSS mode did not cause the card to receive traffic from all of our access points, which were all using different frequencies and were probably synchronized differently. The card itself chose a BSS to synchronize to base on its own algorithm (probably on its assessment of the relative signal strength). The problem with this is that we want to see traffic from all BSSs in range, not just those that happen to have the strongest signals. A way could not be found to disable this feature on the Cisco card, but there is a workaround - the Linux driver provides a /proc interface to set a preferred AP. Once the list of BSSs in range of the scanner is found (/proc/driver/aironet/eth0/BSSList), choose the one to monitor and enter the MAC address in the file /proc/driver/aironet/eth0/APList. This will force the card to synchronize with that BSS and switch to that channel, after which traffic from that BSS can be received and used for signal strength assessments or monitoring for suspicious activity. Conclusions These simple tests confirm that there are 802.11 frames that are characteristic of typical rogue access points and unauthorized ad-hoc networks, and that these frames can be detected and analyzed using off-the-shelf components and free software. Using these concepts along with a database of trusted access points and cards and the fingerprints of suspicious frames, ethereal could be used as a fundamental building block in a full-blown 802.11 intrusion detection system.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
related articles
The IN protocols and concepts can be used to implement enhanced wireless services rapidly and to have these services available across serving areas in an untethered wireless network. Some of these services are listed below: Voice-Based User Identification. This service employs a form of automatic speech recognition to validate the identity of the speaker. Access to services can then be restricted to the user whose voice (phrase) has been used to train the recognition device. Voice-Based Featur...
2. Wireless LAN and Personal Area Network
The Wireless Internet is not just wireless communications across town or the country. It is also local—sometimes in a home or office building. Wireless LANs are just becoming popular with economically priced wireless Ethernet equipment. Standards such as IEEE 802.11, HiperLAN2, and Home RF are leading the way to untethered communications in-building or outside over small areas. Another important development is the Personal Area Network, also known as Bluetooth. Let’s take a look at each of th...
3. The Domain Concept
The solution to all of these problems is the network domain. In a domain, you only have a single name and password, which gets you into every shared PC and printer on the network. Everyone's account information resides on a central computer called a domain controllera computer so important, it's usually locked away in a closet or a data-center room. A domain controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network. When you log onto the domain with your PC,...
4. Duplexing Techniques in Wireless communication systems
Wireless communication systems have evolved through several stages of multiple-access control. The foremost controllable resource has always been the frequency spectrum. Other resources such as time, code, and space were initially manipulated in a very precarious and, therefore, ineffective manner. The early systems operated in the simplex mode in the forward link. Halfduplex systems soon appeared, in which forward link and reverse link shared the same channel. Access control was performed on a push-to-talk basis wit...
Millions of people, have embraced the flexibility of a networking system that involves no wires at alla cordless networking technology called WiFi or 802.11 ("eight-oh-two dot eleven"). (Your Macintosh friends probably call the same thing AirPort, because that's what Apple calls it.) To get onto a wireless network, your PC needs a WiFi transmitter. Almost every laptop sold today has WiFi built in. You can also add it to a desktop in the form of a wireless card or USB adapter; either way, you gain a little antenna. Once...
6. VPN and Tunneling Protocols
Let us discuss the most common and widely used real-world VPN protocols. The growing number of users, the ease of accessibility, and the reduced cost of the Internet connection have introduced a greater need for cost-effective and secure communications without purchase of leased lines. Many companies participated in the development that resulted in the creation of different VPN standards and protocols. We discuss the most common ones here. IPSec IPSec is the most widely acknowledged, supported, and standardize...
7. MOBILE ELECTRONIC MAIL
Electronic mail (email) is the transferring of information messages via an electronic communications system. Initial versions of email could send short text messages of 1 to 3 pages. Email technology has evolved (standardized) to allow file attachments, and new versions of email (such as those using Flash technology) send animation or video clips as email messages. Email messaging is probably the best single reason for users to get connected to the Internet. There were over 400 million email account u...
8. RADIUS Related Tools
The following list includes a few alternative RADIUS servers as well as several utilities for administration and user monitoring of the RADIUS daemon: Cistron. This server has become widely used in the free software community and was written by Miquel van Smoorenburg (miquels@cistron.nl) from the original Livingston source. The home page (http://www.radius.cistron.nl/) contains more information. ...
9. PERSONALIZED COMMUNICATIONS
Personalized communications consist of applications and services that are based on access to and manipulation of the user’s personal data. This includes services such as personal information management, calendar and scheduler management, email messaging, unified messaging, chat, and community participation. Wireless Internet applications will add value to personalized communications by increasing a user’s ability to access personal data while mobile. We’ve all experienced situations where some small piece of ...










