Chapter 17: Wireless Tools

OVERVIEW

Wireless networks offer the convenience of mobility and a reduced amount of network equipment. They also broadcast their presence, and possibly all of their data, to anyone who happens to be listening. The proliferation of wireless networks reintroduced many problems with clear-text protocols (communications in which sensitive data is not encrypted). They also permitted arbitrary users access to a corporation's internal network—absolutely bypassing the firewall or other security devices. The threats to wireless networks are not just limited to malicious users looking for open networks; anyone could sit in the parking lot and sniff the network's traffic.

Before we dive into two wireless tools, we should review a few wireless terms. Wired Equivalent Privacy (WEP) is an attempt to overcome the promiscuous nature of a wireless network. To sniff traffic on a wired network (one with CAT-5 cables, hubs, and switches), you first must physically connect to the network. For a wireless network, you merely need to be within proximity of an access point (AP). WEP is designed to provide encryption at the physicaland data-level layers of the network. In other words, it encrypts traffic regardless of the network protocol, such as TCP/IP or IPX. If a network is using WEP, traffic on it will be much harder to sniff; however, poor implementations of WEP have allowed a user to guess the encryption key and consequently view arbitrary traffic.

The other acronym that pops up quite a bit is the Service Set Identifier (SSID). The SSID is prepended to wireless packets. SSIDs provide a means for multiple access points to serve multiple networks while discriminating between packets. The SSID can be up to 32 characters long. Thus, one network might have an SSID of dev, and another network might have an SSID of DMZ. Even if the APs for these networks are close together, packets for the dev network will not enter the DMZ network by mistake. Thus, the SSID can be considered a sort of password to the AP, but one that is sent in clear text and is easy to discover if the SSID broadcast is enabled (or you wait long enough to catch a legitimate client connect to the AP). The SSID is a shared secret on the network, but it is similar to the SNMP community strings: they are all too often secrets that everyone knows. For example, here are some very common SSIDs:

• comcomcom
• Default SSID
• intel
• linksys
• Wireless
• WLAN

In addition to a computer and a wireless card, you can complement your wireless arsenal with a high-gain antenna and a Global Positioning System (GPS) unit. A high-gain antenna improves the range of your card, increasing the distance from which you can access a network. A GPS unit comes in handy when driving through areas on the prowl for network access points. Many tools incorporate the ability to record the access point's technical information (such as the SSID) as well as its location. Later, you could correlate the location on a map.

An external antenna is a good idea for improving your card's range from a few dozen meters to well past a kilometer. Several options are available, from $100 prebuilt antennas to high-gain antennas you can build yourself from cans and washers. A strong antenna not only lets you find distant networks, but it also lets you figure out how far away the data from your own wireless network is going.

Appropriate wireless drivers are necessary for many of the capabilities required by the tools covered in this section. Linux, FreeBSD, and Mac OSX (for Viha chipsets) have drivers that support the most common cards. The wireless cards of choice use Prism-based chipsets. Cisco and Orinoco (sometimes branded as Lucent) chipsets have adequate support as well. Currently, wireless cards that use a Broadcom chipset are to be avoided when using these wireless tools—the Broadcom drivers simply do not support the capabilities required. As a rule, you're pretty safe with any 802.11b card, but 802.11a and 802.11g cards tend to have inadequate drivers for Linux and FreeBSD. There are exceptions, but if you stick to Prism-based cards and check with some wireless-related newsgroups, you should do well.

Note

The Linux ndiswrapper (http://ndiswrapper.sf.net) project enables Linux-based systems to take advantage of a Window's driver for a wireless device. So, even if a wireless card has no support for Linux, the ndiswrapper application enables Linux to use the card and access wireless networks. While this is perfect for associating to a network, this driver is designed to perform the basic functions necessary for networking. This driver won't let you use the advanced capabilities that a tool like Kismet provides. Check a card's chipset support before you buy it!

As a final note, it's important to realize that wireless networks have several implications for security. At its advent wireless (or "wi-fi") network security relied on WEP, which proved to be an insecure implementation of a cryptosystem. The encryption algorithms that it used weren't the problem; instead, it was the manner in which they were applied. As such, networks protected by WEP were in effect vulnerable to sniffing attacks that could reveal the encryption key used to protect all of the packets. The initial shortcomings of wireless security protocols were addressed by WPA and WPA2. These protocols improved the encryption scheme's implementation and also created per-user encryption. So, while a sniffing attack may still be possible, it is no longer as trivial to crack the encryption keys used to protect the wireless communications. Nevertheless, any wireless network must also consider the implications of having a network that is not physically bound by the walls of a building. The tools in this section focus on the discovery and inventory of wireless networks.