Table of Contents
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Basics
- Frequency and Data
- Using the Spectrum
- Why is Wireless Security Important?
- Wired Equivalent Privacy (WEP)
- MAC Filtering
- Radiation Zone
- Demilitarized Zone (DMZ)
- Virtual Private Network (VPN)
- Remote Authentication Dial-In User Service (RADIUS)
- Setting Up Windows 2003 for PEAP
- Setting Up Windows 2003 for PEAP, Part 2
- Setting Up Windows 2003 for PEAP, Part 3
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES)
- Secure Sockets Layer (SSL)
- Intrusion-Detection System (IDS)
- Wireless Intrusion Detection Solutions
- Practical SOHO Public WLAN Setup
- ZoneCD: The Secure Way to Share Your Internet Connection
- ZoneCD, Part 2: Online Configuration Options
- ZoneCD, Part 3: Gateway Options
- Natural Wi-Fi Jamming
- Wi-Fi Protected Access (WPA)
- WPA Part 2: Weak IV's
- WPA Part 3: WPA Fixes
- Securing Your Wireless PDA Connection
- Securing Your Wireless PDA Connection, Part 2
- Wireless Intrusion Detection Tools
- Wireless Intrusion Detection Tools, Part 2
- Wireless Intrusion Detection Tools, Part 3
- Handheld/PDA/Smartphone Wireless Sniffing
- Airpwn: Owning the Airwaves
- Wireless Denial of Service Attacks
- Wireless RF Audits
- Professional RF Analyzers
- Open Source Tools: ntop
- War-Driving Exposed
- Wireless Karma
- Handheld War-driving
- Byte-Sized Decryption of WEP with Chopchop, Part 1
- Byte-Sized Decryption of WEP with Chopchop, Part 2
- Fragmentation Attacks
- WEP Fragmentation Attack in Detail
- Windows Wireless Sniffers
- Penetration Testing with SILICA
- Owning the Auditors: WPA-PSK and USB Sticks
- Owning the Auditors: Cain and Abel
- The 10 Minute Wireless VPN: iPIG
- Informit Articles and Sample Chapters
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Wireless RF Audits
Last updated May 23, 2003.
With the introduction of wireless networking technologies, network administrators face a difficult challenge. They not only have to deal with how to securely implement wireless networks into their company, but they also have to mitigate the risks associated with rogue access points and interference from other devices using the same frequency range. Unfortunately, this takes training and tools that are not always easy to purchase, especially for smaller companies with a tight budget.
The question you might be asking is, "Why would I care about what else is using the 2.4GHz ( or 5.8GHz) range?" First, when a wireless network is setup and deployed, it is important to know what else is using the same frequency range. If that range is saturated with energy from other wireless devices, such as Bluetooth devices, wireless phones, and more, then the wireless network will not work as expected. Second, and more importantly, there are various communication equipment that can operate on open frequencies range that can provide an attacker a direct backdoor into an unsuspecting company. For example, if an attacker setup a HomeRF or legacy Proxim networking device behind the firewall, it would not show up on any of the popular wireless networking detection programs such as NetStumbler and Kismet because the technology is completely different.
However, if an administrator used an RF detector in conjunction with a wireless network detector, they would quickly be able to spot interfering devices and legacy equipment that has been installed without permission. For this reason, we highly recommend every wireless company obtains at least a 2.4GHz detector/analyzer that looks at ALL the RF energy on this frequency. To assist you with your scanning, we will take a look at a couple low budget solutions that can meet your RF scanning needs.
RF Audits vs. Wireless Network Audits
Before taking a look at the analysis tools, it is important that you understand the difference between RF auditing tools and wireless network auditing tools. While both are extremely useful to wireless security practitioners, they do not share the same features.
By far, the most popular wireless auditing tool is probably NetStumbler. This one program alone created enough press to place the subject of wireless security firmly in the mind of more than one person, myself included. You simply download a program, find and install a compatible wireless network card, and before you know it, a list of wireless networks will appear on your computer. For the Linux world, a loosely similar program is Kismet, which not only detects wireless networks, but can also capture their traffic, determine information about the nodes, and more. Regardless, both of these tools will only detect existing 802.11a/b/g networks as determined by the network card in use. The basic functionality is based upon hopping between the 14 available channels and listening for traffic. These programs can either actively send out probe requests, to which an access point will respond, or just listen to the airwaves. The point is that these programs operate using the 802.11 protocol (OSI layer 1 " 2).
An RF auditing program, on the other hand, doesn't care about the protocol in use. It simply listens for radio frequency energy with its specific range and reports on the findings. More expensive RF analyzers will be able to detect energy on large ranges (e.g. 100 KHz – 5+GHz), but unless you have a couple thousand dollars to spend, this is probably outside the scope of potential purchases. Fortunately, there are cheaper RF analyzers that can detect and report on just the 2.4GHz range. They will hop up through the range, stopping for a few milliseconds (or less) on each specific frequency and listen for RF energy in the air. This includes energy from microwaves, wireless phones, or 802.11 access points. The point is that it doesn't matter what protocol is in use; an RF analyzer only cares about the energy level at a particular frequency. For all practical purposes, an RF analyzer operates below the OSI layers. While you might argue the use of a frequency falls in layer one, trying to find a place for a microwave on the stack will be a bit challenging.
Wi-Spy it is probably the cheapest and easiest to use of all budget wireless analyzers out there. For $99 you get a very small USB device that operates in conjunction with their Wi-Spy software that you can optionally install on your hard drive or run right from the CD. Figure 1 provides a screen shot of the GUI of the program as it detects and records the RF energy from my Xbox 360 wireless controller.
Figure 1: Wi-Spy and the Xbox 360
As you can see from the picture, there isn't much to this program, which in my opinion makes it perfect for the small shop admin or quick scan. Many of the more costly RF analyzers go into very in-depth detail, which is not necessary when scanning for rogue AP's or interference.
There are several nice features included with this program, the nicest of which is the record option, which dumps the scan to an AVI file for review at a later date. This is perfect for capturing a baseline of a site or just obtaining evidence of a problem incase you need to show someone at a later date. You can also take quick snapshots in multiple formats and compare them against other images taken my by the community.
The only issue with this program is that it is Windows-based and will only detect frequency use in the 2.400-2.483 range. If an attacker is using a device in the 5.8GHz range (802.11a), you will not see it. In addition, it is possible to operate a wireless network above the 2.483 range using firmware hacks, or by using devices from other countries. $99 can only get you so far.
Still, for its price, this device and its accompanying software is hard to beat. If you are looking for a simple and quick analyzer, you can probably stop reading here.
Snoop (Proxim RangeLan2)
Proxim was one of the earliest wireless networking equipment vendors on the market. A side effect of this is that they offered tools that went above and beyond what the average user actually needed. One such tool is known as Snoop, which essentially turned the wireless card into a cheap wireless analyzer that could systematically scan through the entire 2.4GHz range and detect any RF energy (figure 2).
Figure 2: Snoop in action
While you can still find these cards online at sites like Ebay for cheap, the pickings are getting slim. In addition, Proxim does not support current operating systems. Fortunately, I happen to have a working laptop from the mid 90's that has managed to survive the years. I also was able to score a card and software online for about $20.
While it is not as feature full as Wi-Spy, Snoop can provide you with screen shots of existing RF energy. You can also adjust the scan speed, but this increases the chances that something will be missed. Where Wi-Spy (either quickly or completely) scans the RF range, Snoop starts at the low end and slowly hops its way to the top, and like Wi-Spy, you are stuck in the 2.4GHz range as used by the US. Finally, Snoop does not include any reference for background noise or a dBm, which is a relative measurement, but it still makes for some form of relational comparison. Regardless, for the $20 I paid, Snoop does a good job.
Professional RF Analyzers
There are times when a simple 2.4GHz scanner is not enough. For these times, you will want a professional RF analyzer. Due to the complexity and detail of such programs, we will dedicate an entire section to such a tool.
This wouldn't be complete without mentioning RF spy toys that you can buy for around $250-$300 online. These dedicated devices scan the local (usually very local) area for RF energy and light up accordingly. While the quality of the signal detection might be questionable, a product like the World Tracker might just be what you are looking for. It supposedly detects 900MHz, 1.2GHz, 2.4GHz, 5.8GHz, Bluetooth, wireless networks and phones. With all this detection ability, it would be hard for someone to slip in a rogue legacy access point behind the scenes. Note that I personally have not purchased one, so al this is pure speculation.
Wireless networking is a force that must be reckoned with. From a security perspective, these devices have created a whole new category of risk. All it takes is one rogue access point and your network is compromised. For this reason, we recommend that every network administrator invest in some sort of RF analyzer. The cost of not respecting this threat is simply too great. Don't let $99 prevent you from becoming a victim!