- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Security
- Wireless Basics
- Frequency and Data
- Using the Spectrum
- Why is Wireless Security Important?
- Wired Equivalent Privacy (WEP)
- MAC Filtering
- Radiation Zone
- Demilitarized Zone (DMZ)
- Firewall
- Virtual Private Network (VPN)
- Remote Authentication Dial-In User Service (RADIUS)
- Setting Up Windows 2003 for PEAP
- Setting Up Windows 2003 for PEAP, Part 2
- Setting Up Windows 2003 for PEAP, Part 3
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES)
- Secure Sockets Layer (SSL)
- Intrusion-Detection System (IDS)
- Wireless Intrusion Detection Solutions
- Practical SOHO Public WLAN Setup
- ZoneCD: The Secure Way to Share Your Internet Connection
- ZoneCD, Part 2: Online Configuration Options
- ZoneCD, Part 3: Gateway Options
- Natural Wi-Fi Jamming
- Wi-Fi Protected Access (WPA)
- WPA Part 2: Weak IV's
- WPA Part 3: WPA Fixes
- Securing Your Wireless PDA Connection
- Securing Your Wireless PDA Connection, Part 2
- Wireless Intrusion Detection Tools
- Wireless Intrusion Detection Tools, Part 2
- Wireless Intrusion Detection Tools, Part 3
- Handheld/PDA/Smartphone Wireless Sniffing
- Airpwn: Owning the Airwaves
- Wireless Denial of Service Attacks
- Wireless RF Audits
- Professional RF Analyzers
- Open Source Tools: ntop
- War-Driving Exposed
- Wireless Karma
- KisMAC
- Handheld War-driving
- WEPWedgie
- Byte-Sized Decryption of WEP with Chopchop, Part 1
- Byte-Sized Decryption of WEP with Chopchop, Part 2
- Fragmentation Attacks
- WEP Fragmentation Attack in Detail
- Windows Wireless Sniffers
- Penetration Testing with SILICA
- Owning the Auditors: WPA-PSK and USB Sticks
- Owning the Auditors: Cain and Abel
- The 10 Minute Wireless VPN: iPIG
- Informit Articles and Sample Chapters
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Handheld/PDA/Smartphone Wireless Sniffing
Last updated Oct 10, 2008.
A wireless sniffer is a software and/or hardware solution that provides the user with the ability to capture and decode packets as they pass over the airwaves. While most wireless sniffers require the support of a laptop (or desktop), it is possible to place the power of a sniffer into a handheld device. That said, PDA sniffing does come with some limitations. In this section we are going to provide a short overview of how a wireless sniffer works, what kind of issues you may have to deal with when setting up a mobile device for sniffing, and then provide you with a few handheld options that can meet your mobile sniffing needs.
Wireless Sniffing
A wireless network uses radio technology to pass packets. These packets are passed down through the network stack from whatever application needs to send data to a remote system. The driver and associated wireless hardware then take the data packets and convert the binary code in to a series of radio waves. These waves then emit from wireless device in a direction that is defined by the design of the antenna.
Under normal conditions, all wireless devices in the area will detect the radio waves passing over the air, and decode enough of the packet data contained in those waves to determine if the information is meant for them. If it is, the data is passed up through the hardware into the drivers, where it is further decoded, and then up the network stack to the target application.
The problem is that the wireless energy being emitted from the network card is typically transmitted in all directions. The end result is that anyone with a listening wireless device in the area can detect the radio energy and use their software/hardware to decode the radio waves into packets. Since there is a distinct danger in the fact that wireless traffic can be seen by all, wireless vendors have incorporated encryption to protect the data while it is in transmission.
This presents a problem for the wireless sniffer, especially in the cases where WPA is used. Due to the way this security protocol is designed, a wireless sniffer can’t decrypt wireless traffic passing between the access point and node unless it can first capture a part of the encryption setup process, known as the four-way handshake. If however, WEP is used, a sniffer can be provided the static encryption key, which will decrypt the data quickly and can even be used to decrypt the data live as it is collected.
The other major caveat to successful sniffing is to understand that a sniffer must be preconfigured to sniff on a specific channel of the numerous available to wireless administrators. In other words, if there are two wireless networks in the same area, you will need a dedicated sniffer to get all the data passing on both of them.
Mobile Sniffing
Handheld sniffers work much like laptop- or PC-based sniffers. They have a wireless card that can be configured to listen to a specific channel, collect the data it receives on that channel, and decode to packets. When you factor in the size of the handheld, a mobile sniffer is a great way to capture data passing over an 802.11 network. This can be done to:
- Troubleshoot network and application problems
- Reverse-engineer how applications use networks
- Monitor usage for statistic purposes
- Capture data for analysis
While there are some obvious advantages to mobile sniffers, there are also some downsides. For example, a mobile device is limited in space. While an external memory card can assist with this, the RAM space is also limited. The end result is that in a high traffic environment, a mobile sniffer can hit a bottleneck as it attempts to write out data to the card and maintain a temporary buffer in the RAM. Second, a mobile device is power limited. As a result, peripheral hardware is lower power, which in the case of a wireless card, has the side effect of reducing its sensitivity to radio energy. This essentially means a mobile wireless card will not be able to detect as much traffic as a laptop card.
Finally, not all mobile devices are created equally, and as a result, may influence the ability to sniff. Specifically, a mobile device’s wireless network card/driver must support RFMON mode to capture data. Without this, the wireless interface will not work with sniffer software, or will not work in promiscuous mode (required to sniff other peoples data). Unfortunately, there are few devices that have a wireless network card powerful enough to sniff data. In these cases, it is best to turn to an external Compact Flash wireless card. For example, the Linksys WCF54g and Dell 1180 are two cards that we have found to work with Airscanner Mobile Sniffer.
Mobile Sniffer Example
Depending on your platform of choice, there are several options for building a mobile sniffer. The following outlines two approaches: Windows Mobile and Linux.
Windows Mobile
The best option (and most stable) is to build a Windows Mobile sniffer using a device that supports compact flash cards. While devices, such as the now retired X30 do intrinsically support sniffing capabilities, most of the embedded wireless cards do not. The following is one setup that does work:
iPaq 211: Selected because it is a larger PDA with both CF and SD card support. This gives us maximum flexibility because we can capture using the CF card and store it in the SD card.
Linksys WCF54G: Selected because it supports both B/G, the most common types of wireless networks. Note that this card will not detect or capture data on a 802.11 A or N network.
Airscanner Mobile Sniffer: For biased reasons, we have selected Airscanner sniffer software to install on our device. To be fair, we will say that vxSniffer is another option.
Installing and configuring the software is painless. Once the card is installed (with drivers), simply reset the device and then install the Airscanner Mobile Sniffer. When the program is executed, it will prompt you for the driver option. Select the newly installed network interface from the list and hit OK. This will bring you to the main sniffer screen. Under the Options menu, select "Promiscuous Mode." Then hit the green arrow and start collecting data. You will see a screen similar to figure 1. Notice that you can drill down on a packet by selecting it and then hitting the "View Packet Details" under the Tools menu.
)
Figure 1: Capturing packets
)
Figure 2: Packet details
Once a significant number of packets have been captured, you can optionally export the packets to a PCAP formatted file that can be imported into Wireshark on your desktop for further analysis.
Linux
An optional method is to purchase a Linux based device and run tcpdump in promiscuous mode. Since Linux has more power than Windows Mobile, all you have to worry about is if the card supports sniffing in promiscuous mode. There are several devices on the market, from the NeoPwn to the N800 that can perform sniffing functions. We selected the N800 for its versatility as a handheld penetration testing tool.
N800: Nokia’s handheld device that contains a lot of power and features, but most importantly it is Linux-based. This means there is a lot of software, including sniffer software.
Tcpdump (for the N800): You just download the file and install it. In addition, you can also add in the repository for other tools port by Collin Mulliner for the N800 at http://www.mulliner.org/nokia770/.
)
Figure 3: tcpdump running on an N800
Summary
In this section we highlighted the challenges of mobile sniffing. While it does have some obstacles, there are still solutions available that can be used to allow you to sniff a wireless network from the palm of your hand or the pocket of your pants. This ability can not only help troubleshoot, but it is also important to keep in mind the fact that a handheld sniffer can be used by a malicious person to capture data without detection.
InformIT Articles and Sample Chapters
WEP Cracking Explained — A detailed article on how to crack WEP and the technology behind it.
WPA Cracking Explained — A detailed article on how to crack WPA and the technology behind it.
Books and eBooks
Wi-Foo — This is one of the best book on wireless security. I have read it and find the technical details to be spot on. While it is a bit dated, you will benefit from reading this. (Read in Safari Books Online)
Online Resources
Airscanner.com — A shameless plug for Airscanner, a leader in Windows Mobile Security software and research. In addition to our software, we have numerous publications that help you discover the security issues related to mobile devices.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart