Wireless Security, Wardriving, and

Detecting Rogue Access Points Using Kismet Wireless Scanner

By: Lance Howell

Wireless Security

•WEP (Wired Equivalent Privacy)•WPA (Wi-Fi Protected Access)•WPA2 (Wi-Fi Protected Access version 2)

Weaknesses in WEP

•Older Equipment and devices•Supports no keys or a shared key

management system. •You have to manually change your keys•The Initialization Vector (IV) is too short

and sent in clear text•IVs are static•No cryptographic integrity protection is

implemented

Weakness in WPA

•Using short Pre-shared Keys (PSK)•Dictionary Attacks

Reconnaissance

•First Popular Software NetStumbler▫Windows▫Mac▫No Linux Based Version

•Kismet ▫Popular for professionals▫Linux version ▫Windows called Kiswin v 0.1 Last Update

2005

Reconnaissance continued

•Use the software to listen to traffic•Access Points (AP) Broadcast

▫SSID▫Encryption Status▫Rather it is Broadcasting or not▫AP Information▫GPS Information

•Map Locations

Sniffing

•Passive and Undetectable to Intrusion Detection Systems (IDS)

•Attackers can Identify Additional Resources that can be Compromised

•Authentication Types•Use of Virtual Private Networks (VPN),

Secure Sockets Layer (SSL), and Secure Shell (SSH) helps protect against wireless interception

Spoofing and Unauthorized Access•Due to TCP/IP Design, there is little that

can be done to prevent Media Access Control/IP (MAC/IP) Address Spoofing

•Static Definition of MAC Address Tables can this attack be prevented

•Staff must be diligent about logging and monitoring those logs to try to address spoofing attacks so they can be identified.

Kismet and Wardriving

Introductions

•Console-based wireless analysis tool•Passive; captures traffic from wireless

cards in monitor mode•Observes activity from all networks within

range•Wardriving tool of choice•Wardriving is legal•Included in Backtrack 4 ready to run and

use

Versions

•Stable•Developmental•Newcore•Purpose

▫Recon▫Enumeration

Objectives of Kismet

•Locate and Identify AP(s)▫BSSID, ESSID, Channel and Encryption▫GPS data▫And more…

•Locate and Identify Client(s)▫MAC Address▫Manufacturers

•Spectrum Analysis•Drones/Open-Source WIPS

Data Obtained

•Text (txt)•Comma Delimited File (CSV)•XML•GPS •Pcap•NetXML

LOG FilesType of File File Description

Dump A raw packet dump that can be opened in Wireshark or other packet analyzers.

Network A text file listing the networks that have been detected.

CSV A comma-separated listing of networks detected.

XML An eXtensible Markup Language (XML) formatted log of networks detected. This is useful for importing into other applications.

Weak The weak Initialization Vector (IV) packets detected in AirSnort format.

Cisco A log of Cisco Discovery Protocol (CDP) broadcasts produced by Cisco equipment.

GPS The log of GPS coordinates of access points detected.

Netxml Logging File

•Can be imported into Excel for post-processing analysis▫Rename to “.xml”, select “read-only

workbook” when opening•Requires Internet access to download

Kismet DTD file•Allows you to graph results, add details

for additional analysis

Reporting on AP Uptime

•“=U267/(1000000*(60*60*24))”

Startup

•Kismet will prompt to start the Kismet Server at startup

•Once the Kismet server has started, you will be prompted for the first packet source

Kismet Sources

•Specify the available wireless interface as a packet source▫“wlan0, “wlan1”, etc.

•Kismet will identify the needed information, place the interface in passive capture mode

•Add as many sources as you want from Kismet Add Source

•Can also specify libpcap wireless packet capture files as sources

Kismet Newcore Screenshot

Plugins

•Plugin architecture to extend functionality•Distributed with Kismet: Aircrack-PTW,

Spectools•Third-Party: DECT wireless sniffing•Kismet Plugins

▫Status of plugins, version information▫Enable or disable UI plugins▫See list of Kismet Server plugins

Extending Kismet• Device Manufacturer Name

▫ Kismet relies on Wireshark’s “manuf” file to identify manufacturers

▫ File can be updated with make-manuf script (not distributed with BT4)

▫ # wget http://anonsvn.wireshark.org/wireshark/trunk/wka.tmpl

▫ # wget http://anonsvn.wireshark.org/wireshark/trunk/manuf.tmpl

▫ # wget http://anonsvn.wireshark.org/wireshark/trunk/make-manuf

▫ # perl make-manuf▫ # mv manuf /usr/share/wireshark

Graphical Representation

•Gpsmap (old)•Pykismet•Kismet-earth•Kisgearth

GISKisment

•Building Visual Representations of Kismet data

•Correlate information in database•Graphically represent information •Filter out non-useful information

GISKismet- Filters

•Input Filters▫AP configuration data▫Query filters on any information

AP configuration Client information GPS coordinate(s)

•Filter Input▫Insert all AP(s) on channel 6 named Linksys

•Filter Output▫Output all AP(s) without encryption

Tips on Protecting the Network

•Use an External Authentication Source▫RADIUS▫SecurID

•Protect MAC Spoofing: Use a Secure Connection for all Host Services Accessed by the Network▫SSH▫SSL

•Use a Dynamic Firewall

System Administrators

•Poor performance on the wireless network complaint

•Things to observe:▫What AP are the clients connecting to?▫Are all AP’s properly configured?▫Lots of retries indicating poor connections

or noise▫Lots of missed beacons indicating noise or

faulty APs▫What channels are being utilized?

Retries are normal in small numbers; more than sustained 10% is a problem

Signal and Noise/Channe

l

Packet Rate (Real Time)

Data Frames (Cumulative)

Networks Count (Yellow

is historic, green is currently active)

Detail View (Scroll with arrow keys)

Auditors

•Are the networks configured per specification?▫SSID cloaking enabled/disabled?▫Appropriate encryption and authentication

settings?▫Are there unencrypted networks (when

there shouldn’t be)?•Kismet walkthrough while channel

hopping, post-processing analysis.

Security Analysts

•Network discovery & analysis▫Are there open Aps or weak crypto?▫What are the clients on the network?▫What kind of EAP types are in use?

•Post-processing data evaluation▫Third-Party tools with Kismet pcap files,

XML records, nettxt summaries