Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to track down a wireless hacker

from [cwright] Network Security [Permanent Link]
Subject: RE: How to track down a wireless hacker
Date: 11 Nov 2007 23:38:45 -0000 
 ?Of course you can track a wireless attacker due the fact that he is 
broadcasting a trackable signal?.

First, it is not necessary to broadcast to monitor wireless traffic. The 
attacker can remain passive. Passive monitoring does make a discernable 
variation in the RSSI, but I do not see the resources being deployed for this 
reason (and we are talking well into the 6 figures for this).

So let?s address this in detail.
To do so, let?s look at the threats first, we have:
-       Friendly ? unprotected wireless networks deployed in ignorance.
-       Malicious ? This is either a malicious rouge attacker or a planted 
rouge network or AP.
-       Unintended ? Equipment deployed without authorisation and likely 
incorrectly configured (this group commonly includes Infrastructure rogues).

The friendly and unintended threats are easy to find. They will either be an AP 
or wireless card in the local proximity. These are easy to trace. As such we 
can ignore these for the purpose of this post.

There are a variety of means to discover rogues on the wireless network. These 
include:
1       Wired-side AP fingerprinting
2       Wired side MAC prefix analysis
3       Wireless-side warwalking
4       Wireless-side client monitoring
5       Wireless-side WLAN IDS

If your intention is to test your own mal-functioning or mis-configured 
equipment on your network, then there is no crime. If you know it is not your 
device and you attack it in full knowledge, then a crime is the result. For 
example, you can run a Nessus AP Fingerprint Scan on your own (or what you 
believe is your own) equipment with impunity (assuming permissions and rights).

In the case of an attacker external to the network, we can ignore options 1 and 
2. If the attack was a rogue device (an AP for instance) on the wired-side 
network, scanning is legally ok. The scanning of your own equipment is an 
acceptable legal option. This still does not allow the right to actively attack 
the device on discovering it is a rogue. This is a matter of intention. 

As for Wireless-side analysis? This is easy to do, but it is time consuming, 
error prone (there is a low risk of false-negatives and a good chance of false 
positives) and is likely to bypass or incorrectly correlate moving targets. 
Kismet will allow you to save filters based on the BSSID?s and MAC addresses 
discovered. Kismet would then be configured to ignore all authorised networks. 
This allows the creation of a baseline. The baseline allows for the alerting of 
exceptions ? that is unauthorised AP?s.
AiroPeek NX is a commercial option for those companies that do not like to use 
open source software. Either method is time consuming and requires an audit for 
a ?point in time? event. Warwalking can not be set to wait and report on 
exceptions.

AirWave RAPIDS is a commercial option to conduct both wired-side and 
wireless-side monitoring and assessment. It monitors and reports on wireless 
activity and flags (and alerts) new networks as potential rogue AP?s. This is 
an expensive option with a license required for all clients. There are also 
issues. Either poor monitoring facilities will result or wireless networking 
will be impacted for the hosts.

There are Wireless-side LAN IDS deployments. Aruba is an example. Again these 
are costly and require that a sensors is deployed at all facilities using 
wireless (and if you really want to be safe those that do not as well).
None of this helps us find the rogue ? we only find out that one may exist.

So how can we discover the rogue you ask finally?
First there is a manual analysis process using the signal-to-noise ratios 
(SNR). SNR is maximised when the devices are associated. In this, the idea is 
to map the SNR and locate the antenna (note the antenna and not the rogue 
itself).  These techniques rely heavily on guess-work. Kismet and a GPS will 
help.

Directional analysis makes this a little easier. This requires a directional 
antenna and RSSI (Radio Signal Strength Information which is the signal and 
noise levels associated with a wireless device). Channel hoping should be 
disabled when doing this and it is essentially a matter of trial and error.

Rapfinder (open source) is a tool that aids in this process. AirMagnet is a 
commercial tool (handheld) that is designed to locate the source of the radio 
signal (as you get closer the clicks increase in frequency like a Geiger 
counter). 
Next we get to triangulation. Even this is not 100% accurate due to RF 
interference, signal loss and radio signal distribution patterns (which vary 
based on the physical position). Aruba AirMonitor with 3 sensors will find 
local AP?s with a fair degree of accuracy. 

However, this takes us to the point. An attacker is not always going to be 
placed locally. The range with a good yaggi high gain antenna is a radius of 
over 10km. That is over 300 square km. So have fun searching, it is about 
30,000 households, businesses etc ... 

It is not a flippantly easy task to track a wireless attacker. People get 
lucky, this is about how it works.

Regards,
Craig Wright (GSE-Compliance)


________________________________________


From: Jan Heisterkamp [mailto:]
Sent: Mon 12/11/2007 1:55 AM
To: ep
Cc: Craig Wright; pen-test@securityfocus.com
Subject: Re: How to track down a wireless hacker
I lost who started this thread.
Of course you can track a wireless attacker due the fact that he is
broadcasting a trackable signal and you can do it pretty accurate. But
he question behind is "And then?"

What will you do?
1.
If the attacker is in house you might have to close all the doors, call
the security stuff and confiscate all the laptops running wireless. The
attacker goes arested and the rest of the user will take their case to
the court, sueing you for damages.
2.
If the attacker is, let us say in a car in the street and you have
tracked and localized him what are you able to do?
You can't touch him, neither arrest him, you have no legal right to do
so; probably you will se the attackers golden finger he hits the road.

The energy you are wilt to afford to track this freak down you had
better spent before in securing your Network.
It's a fact, that you messed it up and not he.
I guess there is waiting some homework for you...

Regards
Jan

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to track down a wireless hacker, Jan Heisterkamp
Next by Date:  Re: Changing or spoofing the mac address of Beceem ms120., Enrique LÃpez MaÃas
Previous by Thread:  RE: How to track down a wireless hacker, ep
Next by Thread:  Re: How to track down a wireless hacker, Jan Heisterkamp
Indexes:  [Date] [Thread] [Top] [All Lists]