|
.: wireless archive
I made a few discoveries this weekend. First, a wireless access point has popped up in my neighborhood recently that is not encrypted, as a quick test of Netstumbler showed me. Second, my newest used laptop appears to be equipped with an Atheros card. Oh joy! I might just have to dual-boot that guy into Linux!
I hopped on the wireless network to poke around, but the Netgear AD password had been changed, and the one other system on the network was sending very few packets across. In fact, all the packets I picked up, with few exceptions, were not being decoded by Wireshark properly. They keep coming up as a Belkin MAC and something about broken packets. I'm wondering if this is something like a Netgear/Belkin combination using proprietary "speed-boosting" which is mucking up the packets. I fired up the newest Cain as well, just in case something interesting flew by.
I'm not really sure since I've not seen it before, but I've left the laptop on the network and will check it out over the next week or two. I do have an Internet connection through it. Windows Network Neighborhood gave me the computer name which happens to be a girl's name, and the AP SSID was a last name. Tonight I need to check what IP I have so I can get the service provider and IP to do some external testing, although I suspect I won't find anything useful. Given some Google searches and any possible traffic that I can decrypt, that is quite a bit of information to leak already.
At any rate, it is fun to have a spare system that I can just dedicate to wireless stuff. I've been wondering what to do with the system, as it is a little too big to properly carry anywhere (about 10 lbs and only fits in my backpack) for real portability, especially since I have far lighter systems. But now I think I have at least one use for it as a wireless workhorse.
by LonerVamp 12.11.06 at 1:33 PM in /wireless - comments(0)
Andy, ITGuy pointed out an article on Computer World 10 things to do to be more secure when using public wireless hotspots. Nice article.
The good tips that will slowly disappear as Windows fixes its wireless management:
- disable ad hoc mode
- turn off network discovery
The just plain good tips:
- turn off file sharing
- disable your wireless adapter when not in use
- turn on your firewall
- watch out for shoulder-surfers
Then Preston has a few more interesting suggestions. He suggests to encrypt your e-mail, but sadly gives no more information about how to accomplish this. For most consumers, they will stop there, give an annoyed huff, and skip that step. Encrypting one's email is not as easy to many users as it can be, and is completely email provider-specific. It might be as easy as changing a couple connection settings in the client, or as complicated as figuring out PGP or some other service that claims secure email (by simply never transmitting it off their webmail servers and forcing your recipients to make accounts to retrieve the mail...bleh!). Some users will just be out of luck when it comes to secure mail transmission and won't have corporate recourse for checking mail beyond port 110 and cleartext messages. In those cases, just don't do it.
Carry an encrypted USB drive. I'm not sure if this is worthy of a bullet point, but if someone will be going through the trouble of using an encrypted USB drive for data, why not encrypt the whole laptop disk? Besides, if an attacker takes over the system, they should be savvy enough to impersonate an admin or the user and access most encryption. It makes some sense, but I think it is more effort than is necessary. I dislike having to track multiple "portable" devices, especially ones that can be lost as easily as a USB drive. To me, data encryption on the disk is a "data at rest" issue, not a wireless security issue.
Protect yourself with a virtual private network. I'm not sure I would suggest people use a third-party VPN service. Home consumers on their own equipment, sure, but not corporate users who think it would be safe to transmit possibly-sensitive information through a third-party who may or may not be credible. Too many people think that just because they pay money for it, it must be on the up-and-up. Instead, corporate users should look into what their corporate support is for VPN use. Home users can go the *very* technical route of hosting their own VPN/proxy system, or utilize the pay-for service if they want. I think if email is encrypted, web site logins are protected via SSL, and cleartext IM service not used, most users will be fine without a VPN.
Beware phony hotspots. First, I hate the term "evil twins." We've had a better term for this for years now: "rogue AP." While there is not much most users can do to protect against the rogue AP problems, I do like his two suggestions. Ask the staff if they have a hotspot and what the name is. And if you see two of the same name, don't connect to either one. Any futher security against a rogue AP is either overkill for most users, or is really the responsibility of the hotspot establishment.
by LonerVamp 01.05.07 at 10:37 AM in /wireless - comments(0)
Ordinary people see the means of victory but do not know the forms by which to ensure victory. -The Art of War Chapter 4: Formation
Am digging into my inner wireless geek this month as well. This means buying a little bit more hardware. Most of this stuff is best available on eBay and I plan to get my hands on some of these things soon.
Orinoco Classic Gold wireless PCMCIA card x2
Sharp Zaurus SL-6000
AmbiCom compact flash wireless card (or similar)
The Sharp Zaurus runs on Linux and has internal wireless. This means I can run Kismet on it. I already have an older Dell Axim X5 that I picked up at my old job and totally forgot I still had (and if I want another one for some reason, they seem dirt cheap on eBay). It has no internal wireless and runs Windows PocketPC, but I can put the compact flash wireless in this guy and get it to run. It also gives me the ability to run Ministumbler if I wanted to. I'd rather use Kismet and the Zaurus, but I got lucky in already possessing a little-used Axim.
Now, why would I want both Kismet and Ministumbler? First, some people simply respond better or worse to Linux or Windows. If I don't want to show someone how to do wireless tricks, I'll glaze their eyes over with Linux. If I'm looking to impress a gir...err...a manager with pretty colors and graphs so they spend money on or for me, I may get better results on Windows and Ministumbler. Second, Ministumbler is an active recon tool, so it will only see networks that have the SSID broadcast. Kismet is passive. While it will see non-broadcast SSID networks, I'm not yet sure how it sees them if there is no traffic on them..
Now I just need to pick out a GPS unit (I don't want to spend much, I'm not an extreme outdoorsman who needs something amazing) and possibly decide if I want to explore an external antenna or hold off on that. All told, I don't expect to spend more than $60 on the wireless cards and maybe $200 on the Zaurus.
Also just saw this 2-part article on SecurityFocus about wireless forensics.
by LonerVamp 01.09.07 at 8:16 AM in /wireless - comments(0)
It amazes me how slowly wireless has been tackled, especially as everyone has completely jumped on Office products and browsers with all sorts of problems. Perhaps this year will usher in some more changes?
By way of Whitedust, I was pointed over to a pair of NetworkWorld articles. The first deals with new laws and guidelines about business-run wireless networks, both public and those intended to be private. In addition, it tackles vendors who should not default insecure or at least give users some guidance on securing those devices. These are seemingly easy and no-brainer topics, but yet implementation is such that I am astounded about the lack of attention wireless technologies receive. Heck, even insecure cell phones get more press compared to the data networks! The second talks a little bit about 802.1X (in that sort-of-technical-but-not-really-technical way the NetworkWorld writes).
More laws make me happy when it comes to securing wireless and our digital world. But more laws also make me say, "D'oh!" a few more times, since I am one of those people who likes to drive around and see what open wireless networks there are, and hopping on one when I have a need (when traveling or at a friend's place, for instance, and just hopping on an open neighbor network).
by LonerVamp 01.09.07 at 3:34 PM in /wireless - comments(0)
Ever since Joat made mention of purchasing one, I've been eyeing the Wi-Spy and have it marked up on my "to buy" list for the future. Today, though, I see Joat received an email informing him that the price was going to go up in February. In fact, it is doubling. This little tool is far too cool to let pass away at a higher price. As far as I know, anything comparable is many hundreds of dollars more expensive, so I might move this up my list and get it in the next week or so. It can be bought off ThinkGeek as well as the manuf. site.
by LonerVamp 01.11.07 at 10:21 AM in /wireless - comments(0)
Has anyone seen or used or heard about AirPcap? At $198, it is just a little bit above my "eh, spend the extra money and see how it is" range. I saw a blurb about this in the latest Hakin9 magazine.
by LonerVamp 01.17.07 at 12:52 PM in /wireless - comments(0)
Can't believe I originally missed an article on wardriving! And not a bad one either, considering the ComputerWorld source. The first page is interesting with the setting up of a rather cheap van office. I kinda like that idea, especially considering my car has zero room as it is. I was also enthused about someday getting together some cheap mobile rig (if I got more into wardriving/wireless assessments that is) after watching an episode where the packetsniffers mounted a laptop in their truck. While a front-seat-mounted laptop is borderline illegal (something about a tv or computer screen being visible to the driver), the idea of a mobile wardriving pad is pretty cool. Shag... At any rate, I like a good article with some good technical tips and hardware suggestions. Unlike many ____World articles, it really sounds like this author is definitely speaking from experience. I might have to hunt this guy down when I make it out to Seattle soon.
by LonerVamp 01.24.07 at 4:22 PM in /wireless - comments(0)
The news of this tool is making the rounds, so I thought I'd post quick. Errata Security has partially released a tool called Ferret which purports to show what all is being leaked through your wireless connection everytime you use it.
How do you run it? Download the file and pull out the pre-compiled ferret.exe. Run it from a command line without options and it will tell you your network interfaces. Pick your interface and run 'ferret.exe -i#' to use that interface. Incidentally, you can use a wired or wireless connection if you'd like. (You might need winpcap, but I don't know since I always have it installed anyway.)
The bottomline is this current tool is not as revolutionary as some news and mailing lists are stating. It is really just a sniffer that is only looking for specific data including broadcasts and some application data; things that anyone running any sniffer would be looking for (such as cleartext IMs, passwords, usernames, sites you visit...). Since this is meant for wireless networks, this stuff is typically "broadcast" anyway, due to the medium.
The real beauty will be in the next part of Ferret that they release, the visual/correlating tool.
Check it out, but if you're used to looking at packet captures, don't expect to be wowed right now.
by LonerVamp 03.06.07 at 10:40 AM in /wireless - comments(0)
Dave Aitel posted this to his mailing list today:
Next week is Shmoocon - and I'll be there with whatever the latest
build of SILICA is in my pocket. Feel free to pull me aside for a
quick demo.
Man, Silica is about as expensive of a high class hooker, and it looks as good too! It's sexy as all hell, and if I ever came up on a few grand to drop on a toy, I'd seriously think about this one (assuming I could get properly vetted). if any of you are at Schmoocon and see him (or maybe his wife too?) around, totally ask to see Silica in action.
by LonerVamp 03.12.07 at 11:15 AM in /wireless - comments(1)
For once I am posting a question since it is something I have yet to be able to answer properly, but the bug keeps itching at me to answer it.
How do you physically locate a wireless user? Pretend you have a wireless network and someone has been getting in. Other than getting lucky and walking around, how do you locate someone efficiently?
Now, I know expensive and expansive solutions exist for larger campus-type wireless implementations to locate users using information on their signal strength and triangulation between overlapping wireless coverage. But what about for your average techie joe who wants to do this? Is there any software and non-expensive hardware that can help?
I also know that I could attempt attacks against a laptop and see if I can turn on an annoying WAV file and increase the sound...but that's a bit too intrusive and variable.
I'll likely troll a few forums and IRC chans looking for this information over the course of the next few months as I'd really like to answer it.
by LonerVamp 03.14.07 at 10:24 AM in /wireless - comments(5)
WEP is already known to be broken and weak, but I see Aircrack-ptw is a new tool out that purports to break WEP (most implementations anyway) much quicker. I have not yet tried it, because BackTrack 2 decided to be a bugger about my Hermes Orinoco card and I have yet to replace it or find a solution (Whoppix and BT1 are fine with it, go figure), but once I get that squared away I plan to check this tool out. There is a paper linked on the site, and while some of it gets into some deeper mathematical (mathematical sure sounds more haughty than "math," eh?) theory, some sections are still concise and informative (1, 5, 8, and 9).
Update: I see ISC has also been made aware of this, although they link just to the paper.
by LonerVamp 04.05.07 at 1:30 PM in /wireless - comments(1)
So, a while back I got a Wi-Spy, which works great on Windows XP. I saw that there are some wispy tools for Linux, so I thought I would try them out on my Ubuntu laptop. I downloaded the files and extracted to /home/michael/wispy.
michael@orion:/$ cd /home/michael/wispy
michael@orion:~/wispy$ sudo apt-get install libusb-dev libncurses5-dev libgtk2.0-dev
michael@orion:~/wispy$ ./configure
michael@orion:~/wispy$ make
michael@orion:~/wispy$ sudo ./wispy_gtk
This worked out just fine (and yes, libgtk2.0-dev installed a ton of stuff), but the colors look horrid. The whole spectromap takes on this lemony-green color even when nothing much is happening. Very ugly, but then again, this is just a quick set of tools whipped together and really is no replacement for using Chanalyzer on Windows. Still, this is nice in case I ever do want to see what's going on and only have my Ubuntu with me.
by LonerVamp 04.09.07 at 10:10 PM in /wireless - comments(0)
I see there is a vulnerability in aircrack-ng 0.7. While interesting in itself, this strikes an interesting chord.
First, this means that widespread, fairly static distributions such as BackTrack 2 have a lot of users of their Linux livecd that will continue to run vulnerable versions of aircrack-ng. That's a bit of concern, or should be, for anyone who uses that distro. Granted, the chances of someone attacking their box with this vuln is downright slim, but unless you roll your own BackTrack, do a full local install to update aircrack-ng, or patch aircrack-ng on the fly, you're kinda stuck with this issue.
Second, I really believe someday I will have enough time on my hands to have a more bristly defense posture on my networks. In this case, I could have not only an IDS on my wireless network, but I could actually regularly send out packets crafted for just this vulnerability. Anyone leveraging aircrack-ng 0.7 (or BackTrack2) against my wireless network might be in for a brief surprise and could give me additional information or warning about maldoers. Rather than just a fence around the grounds, it can be highly electrocuted as well.
With a lot of vulns like this, it might not make sense to send out traffic for it because you never know if people will still be using it, and the chance gets slimmer as time goes on. But BackTrack 2 is pretty static for a lot of users who never change anything and may be using this distro until a major update comes out.
by LonerVamp 04.12.07 at 1:46 PM in /wireless - comments(0)
David Maynor recently caught some attention by being critical of how Airtight protects a wireless network from rogue APs (and clients). I'll let the link speak for itself on that, as well as the Airtight CTOs take on the comments section of a post on Andrew Hay's site (and Mike Rothman's for that matter).
What I found even more intriguing was the link to a 2005 paper from Joshua Wright discussing the flaws and details in wireless IDS/IPS methods of containing rogue wireless clients. Joshua Wright has an amazing ability in his papers to write very clearly and plainly, making the information easy to follow, and while the paper comes in only at 17 pages, I thought I would paraphrase his key points a bit in this post.
- Wireless IDS detect and then try to disassociate/deauthenticate (deauth from here on) rogue clients.
- Some try send deauth frames to the clients, some also to the appropriate access point.
- Some just vomit out deauth frames, others are more timed to respond efficiently.
- The deauth mechanism is not set in stone, meaning implementation of frames can be done many ways. This combined with the various features means an attacker can detect and fingerprint a wireless IDS to better attack/evade it.
- Detection/fingerprinting can be done via sequence number anomalies in the frames. Some vendors have set sequence numbers. Sometimes sequence numbers can be noticed as different between the wireless IDS frames and the real AP frames.
- Detection/fingerprinting can be done via disconnect notice bit anomalies.
- Detection/fingerprinting can be done by watching access point traffic in relation to deauth frames. If an AP really did issue a deauth, it wouldn't overlap that with assoc or other frames. If an IDS did the deauth, the APs frames may overlap, giving away the IDS.
- Detection can be done by comparing the signal strength bits of deauth and normal frames. Deauths of a different signal strength can give away the IDS presence.
- An attacker can sometimes slip data into a network by slipping in between deauths that are spaced too far apart. Some vendors allow this to be variable or simply leave more time in between deauths so as not to further saturate the wireless media.
- An attacker can modify his wireless drivers to ignore deauth frames such that if an IDS only sends deauths to the client and not the AP, the connection is never torn down because the client takes no action.
Check the paper for more details, including patching madwifi drivers to ignore deauths.
by LonerVamp 05.05.07 at 7:54 PM in /wireless - comments(0)
WiFiDEnum (and no, I'm not really sure how to say that out loud) has been released by Joshua Wright. This tool reports back wireless driver versions against known vulnerabilities. Try it out. Hopefully the tool is kept up to date as more vulns become announced (slowly). While I never expect that to be the case, I think this tool appears useful enough to Josh and his company and might get some lovin over the years. The next step may be a more hostile enumeration tool that can sniff and/or actively fingerprint a host's wireless card and drivers (and no, I don't know if that is even possible to a worthwhile degree).
by LonerVamp 05.29.07 at 9:21 AM in /wireless - comments(2)
I have a Wi-Spy, which is an excellent (and cheap!) specturm analyzer tool. I saw a mention for it on NetGirl's blog over at ArubaNetworks on her list of cool tools. But I didn't know what EaKiu was in her Wi-Spy bullet. I thought about emailing or commenting, but this seemed to require more effort on my part to converse with her, so I resorted to a Google search for the tool in the hopes that the unique string was easily found. Indeed, I saw that EaKiu is software to display results from Wi-Spy! And boy does it look fucking sweet. Now I just have to find a Mac-user to try it out for me.
I'd thought that was what EaKiu was, since I'd seen mention of Mac and Linux software back on MetaGeek's old site, but I could never find that information again on the new site design. Of note, the Linux version, while workable, is still pretty ugly compared to Mac or Windows software.
by LonerVamp 08.10.07 at 9:49 AM in /wireless - comments(4)
This looks like a fun little project that might run near $100 assuming one needs to get all the parts. The Predator from I-Hacked essentially extends the range of an open wireless network, rebroadcasting it in a secure mode that you can hop onto. It does this with an external antenna and DD-WRT.
Does this have any uses? Well, I doubt anyone wants to cart this around on a trip, and it certainly looks suspicious in a parking lot. But it might make a decent addition to a wardriving car/truck/van setup. A few years ago this might have been a fun idea to get wireless access while around town, but these days cell phone-to-laptop Internet services and gear seem to be solving this problem. This could obviously be used to surreptitiously connect from a distance to closed wireless networks that you have cracked. Although it might be more useful to just plop the antenna on the laptop and crack/access that way as well.
by michael 04.15.08 at 4:09 PM in /wireless - comments(0)
|
