Wednesday, November 5, 2008

Phase 2: Scanning

War driving is the act of driving around looking for wireless access points that have little or no security employed on them, thus enabling a hacker to potentially gain access to a network that contains sensitive information. Aficionados of the practice have created a website about war driving that can be found at www.wardriving.com/.


http://www.wardriving.com/ contains information about the definition of war driving, the equipment needed to go war driving, software for various operating systems, security advisories related to specific wireless access points, as well as contact information if you wanted to reach the authors of the site. There is also a "news" section that lists some of the most current news stories related to war driving.



There are three methods of war driving:



  • active scanning


  • passive scanning


  • forcing deauthorization
Active scanning involves broadcasting 802.11 probe packets with an ESSID of "any" to see if any nearby access points or clients send a probe response containing the ESSID of the WLAN.

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. (http://www.netstumbler.com/)


It has many uses:


• Verify that your network is set up the way you intended.
• Find locations with poor coverage in your WLAN.
• Detect other networks that may be causing interference on your network.
• Detect unauthorized "rogue" access points in your workplace.
• Help aim directional antennas for long-haul WLAN links.
• Use it recreationally for War Driving.


Passive scanning is far more stealthier way of discovering WLANs and involves putting the wireless card into "rfmon mode", which is a monitoring mode, so that it sniffs all the wireless traffic from the air. A good program for this is something called Wellenreiter,(http://www.remote-exploit.org/) a program that runs on Linux. This program first harvests the ESSIDs using the rfmon mode, then listens for the ARP or DHCP to determine the MAC and IP addresses of the newly discovered wireless devices.

The third method of war driving involves forced deauthorization of of the ESSID. this can be accomplished by using a program called "ESSID-Jack" With this program, the attacker first sends a wireless deauthorization message to the broadband address of the LAN, spoofing the MAC address of the of the access point; but in order for the attack to be successful, the attacker MUST grab the the MAC address. Once the attacked client tries to re-establish connection with the WLAN that they have been knocked off of, the attacker sniffs the air for for the association frame that was used in trying to re-establish the connection to the WLAN, thereby catching the exposed ESSID in clear type.



Defenses Against War Driving


Set the ESSID to something that doesn't bring attention to your network. Set standards for naming the WLANs in such a manner that they don't include the organization's title in the SSID. Next, set up your ESSIDs to ignore probe requests that do not include the ESSID and set them up to omit the ESSID from beacon packets. Additionally, encourage (I'd demand) a stronger method of encryption than using MAC addresses or WEP; I'd suggest either using WPA, WPA2, or TKIP.


Another level of defense is using a VPN, which is a Virtual Private Network, to access your net connection. Using VPN technology for wireless LANs is generally recommended, but it can present one of those situations where you must weigh your need to keep network administration simple against the value of your data. Your decision will depend on the size of your organization, the reach of your wireless LAN installation and your security needs.


From a policy perspective, it makes sense to treat the wireless LAN just as you would the corporate backbone and put your 802.11 access points on the corporate VPN. Wireless LAN users access the network just as remote dial or Internet users would, a process requiring authentication. One way to do this is to place the 802.11 access point behind the corporate firewall, requiring that wireless clients authenticate to the VPN or firewall using third-party software. The benefit here is most of the authentication takes place independently of the wireless network, keeping access point maintenance simple (and keeping equipment costs own).


Some vendors such as Colubris Networks, though, argue that the VPN capabilities should be bundled right into the access point to ensure the highest degree of privacy. Colubris has added L2TP VPN tunneling and IPSec encryption and authentication to its enterprise-strength CN1050 802.11b access points.



The theory here is that in a wireless LAN setup, as traffic volumes grow, you can basically just add new access points, which serve as repeaters that automatically forward traffic from one access point to another. So communication hitting an access point could be repeated to another access point before authentication takes place. (In other words, a user must gain access to the network in order to be authenticated in the first place.)



Access points without integrated VPN capabilities, then, are viewed as creating a security hole. Anyone with an IEEE 802.11b network interface card in their client device who is in the transmission range of the access point can connect to that access point and hop on the wireless network. The unauthenticated user cannot easily penetrate a corporate backbone secured by a firewall and VPN, but can gain access to the data traversing unsecured access points.



Faraday Cage Solutions


There are two solutions to use as a Faraday Cage Solution. One is that the Network Administrator could deploy bi-directional antennas to control signal bleed. The other option is to use a wallpaper or paint that has wire mesh or metal fibers in it that acts to break up the wireless signal at the walls of your environment.


War Dialing



War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for unknown computers, BBS systems or fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers for password guessing.



A single war dialing call would involve calling an unknown number, and waiting for one or two rings, since answering computers usually pick up on the first ring. If the phone rings twice, the modem hangs up and tries the next number. If a modem or fax machine answers, the war dialer program makes a note of the number.




If a human or answering machine answers, the war dialer program hangs up. Depending on the time of day, war dialing 10,000 numbers in a given area code might annoy dozens or hundreds of people, some who attempt and fail to answer a phone in two rings, and some who succeed, only to hear the war dialing modem's carrier tone and hang up. The repeated incoming calls are especially annoying to businesses that have many consecutively numbered lines in the exchange, such as used with a Centrex telephone system.




War Driving Defenses


Do not put AP near door or windows. Use strong management policies and monitoring. No unauthorized AP allowed. Audit the access points periodically. If you are using Building-to-building antennae, use directional radiation pattern, tune the beam angle. Also, consider using lower Access Point power, and power off the AP when not in use.

No comments: