WIRELESS SCANNING AND ENUMERATION

Packet Capture and Analysis Resources

The following resources, when used together, provide a thorough overview of the techniques and technical "know-how" behind packet-capturing and analysis:

• http://www.robertgraham.com/pubs/sniffing-faq.html A comprehensive site that could probably answer just about all your questions. Make this your first stop for information.

• http://grc.com/oo/packetsniff.htm A great source for specific packet analysis, commercial sniffers, identifying promiscuous-mode nodes, and thwarting unauthorized sniffers.

• http://cs.ecs.baylor.edu/~donahoo/tools/sniffer/sniffingFAQ.htm A good introductory site covering the basics of packet sniffing and the overall architecture requirements of a sniffer.

Many network sniffers exist for promiscuous card packet capturing, yet very few exist for the wireless side of the world due to the age of the technology. Basically, you have three different setups you can run with, depending on your platform of choice: Windows, Linux, and OpenBSD. Granted, if you are a pro, you may be able to write your own drivers and sniffer modules to get your sniffer software to work under different platforms, but these three are currently the most supported via drivers and tools.

Flipping (a.k.a. switching) your wireless card into promiscuous mode is completely automated under Windows; however, under Linux it is a bit more complicated, which is exactly why we have included a guide for getting sniffer software working under Linux. Configuring the OpenBSD kernel and software is similar, so we apologize for not listing the redundancies. If you would like OpenBSD-specific information, go to http://www.dachb0den.com.

Configuring Linux Wireless Cards for Promiscuous Mode

If you follow these instructions, it should be rather simple for you to set up your Linux laptop and get to wireless sniffing in under an hour (not including tool and file download time).

Step 1: Get Prepared First and foremost, you will need a wireless PCMCIA network card with the Prism2 chipset. Now that you have your card, as with any new installation it is recommended that you back up your important data in case something were to cause your files to be irretrievable. Although this is not an overly risky installation, precautions should be taken. The following are examples of wireless cards that use the Prism2 Chipset:

• Compaq WL100

• SMC2632

• Linksys WPC11

Step 2: Get the Files When you have completed the first step and are ready to start, you will need to download a few files if you don't already have them on your system. If the following links become broken because of new releases, it should not be difficult to find any of them via a Google search:

Step 3: Compile and Configure Once you have downloaded the preceding files, you are ready to actually start configuring your system. In general, most apps use the ./configure && make && make install installation setup, but for specific compilation instructions, refer to the individual Readme files for each of the applications.

Step 4: Flip the Card After compilation, you need to restart all your card services and ensure that all the modifications have been implemented. Most wireless sniffing and cracking tools have built-in functionality for flipping (changing) your card into promiscuous mode; however, you may wish to simply capture the packets without automated cracking or other features included within the tools. Whatever the case may be, the command to flip your card (enable sniffing) is shown here:

  %root%> wlanctl-ng wlan0 lnxreq_wlansniff channel=# enable=true  

Here's the command to use to disable sniffing:

  %root%> wlanctl-ng wlan0 lnxreq_wlansniff channel=# enable=false  

You should understand that when your card is in promiscuous mode, it is unable to send packets. Therefore, it is disallowed from communicating on a wired or wireless network.

Step 5: Start Sniffing The last step for manual wireless sniffing is to start capturing the packets to ensure you have completed the setup correctly. A simple tool you can use to test this is Prismdump, a tool you should have downloaded and compiled in Steps 2 and 3. Prismdump simply manipulates the captured packets into the industry-standard format, PCAP. PCAP (a.k.a. the Packet Capture format) is often used as a common format for saving raw packet data.

To run Prismdump, use the following command:

  %root%> prismdump > wlan_packets  

A quick no-brainer: When your wlan_packets file is over 1 byte in size , you know you have started to capture 802.11 packets, which means you may start to use your WEPcracking software or packet-analysis software, such as Ethereal.

Mognet

Mognet, shown in Figure 8-8, is a straightforward 802.11b wireless sniffer written completely in Java by Sean Whalen (sean@node99.org). A few of its key features include near real-time capture output via the Java pane. The output includes the packet type, source MAC address, destination MAC address, and the corresponding SSID if known or included. The FF FF FF FF FF FF destination MAC address is a broadcast address sent out from the wireless access point, which is one method for initially starting a wireless access point-to-communication stream.

Figure 8-8: Node99's Mognet interface

The Java interface can also load and save captured wireless sessions in libpcap format (a.k.a. PCAP). The only requirement for Mognet is an installed JDK (1.3 or higher) or a C compiler in case you wish to compile a local binary. Mognet is released under the GNU Public License (GPL) and can be downloaded from http://www.node99.org/projects/mognet.

Prism2dump

Prism2dump (http://www.dachb0den.com/projects/prism2dump.html) comes with the BSD-Airtools suite and works with Prism2 chipset cards. It will output 802.11 frames with three levels of details, specified by the -v flag.

To use Prism2dump, you'll need to have a Prism2 kernel driver that supports monitormode operation. Newer BSD versions such as OpenBSD 3.2 will support this in the default kernel, but others will need the kernel patches included in the BSD-Airtools package.

To use Prism2dump, first place your card in monitor mode with prism2ctl <interface> -m , as shown here:

 foo#  prism2ctl wi0 -m  

After the command is issued, you can check the status by running prism2ctl and only specifying the interface. In the following example, the line for monitor mode indicates it is active:

 foo#  prism2ctl wi0  Sleep mode:                                      [ Off ] Suppress post back-off delay:                    [ Off ] Suppress Tx Exception:                           [ Off ] Monitor mode:                                    [ On ] LED Test:                                        [ ] Continuous Tx:                                   [ ] Continuous Rx:                                   [ Off ] Signal State:                                    [ ] Automatic level control:                         [ Off ] 

Once monitor mode is enabled, run Prism2dump by specifying the interface name and level of verbosity requested . Here, we are using the wi0 interface and -v 2, which prints all 802.11 protocol information.

The dump results show an 802.11 Management Probe Response from an access point with an SSID of APPLE on channel 6:

 foo#  prism2dump wi0 -v 2  prism2dump: listening on wi0 - [0:5:5d:a7:36:53 <- 0:30:65:1d:f1:0 <- 0:30:65:1d:f1:0] - port: 7 ts: 151.143336 1:81 20:0 - sn: 3200 (d4:ec:cc:dc:8c:4c) len: 36  - ** mgmt-proberesp ** ts: 17.605513 int: 100 capinfo: ess priv    + ssid: [APPLE]    + rates: 1.0 2.0 5.5 11.0    + ds ch: 6 

tcpdump

tcpdump (http://www.tcpdump.org) is a standard UNIX network monitoring tool that, in newer versions, supports decoding 802.11 frame information. Because basic tcpdump usage is covered elsewhere in this book, we won't describe general information here, just the 802.11-specific items. To use tcpdump to decode 802.11 traffic, you'll need to install versions of libpcap and tcpdump that support it. As of this writing, the "current" rev of each package supports decoding 802.11 frames. Usage on wireless networks is basically the same as other types of networks, but you will need to place your card in monitor mode first to read the management frames. Outside of the various commands for each card and OS, the easiest way to flip the card to monitor mode is using the kismet_monitor script included with Kismet. Using tcpdump on a wireless network without putting the card in monitor mode will show broadcasts and traffic destined for the localhost, like a switched Ethernet network.

One option to note is -e, which will print out the frame-control fields, the packet length, and all the addresses in the 802.11 header that show the BSSID and destination MAC address. Also for parsing purposes, "wlan" can be used in place of " ether " for arguments such as wlan protocol ip . In the following example, we have already enabled monitor mode on the wireless card and are running tcpdump by specifying the wireless interface ( -i eth1 ), getting the extra 802.11 information ( -e ), and printing out hex and ASCII data from the packets ( -X ):

 [root@localhost root]#  tcpdump -i eth1 -e -X  

In the following packet, you can see that the BSSID is 00:60:b3:67:6c:40, the DA (or destination) is the broadcast address (FF:FF:FF:FF:FF:FF), and the source address is the same as the BSSID (the MAC address of the access point). The frame type is a Beacon, and it's using an SSID of proxim. The access point is capable of establishing an 802.11 link at speeds of 1, 2, 5.5, and 11 Mbps on channel 6.

 16:13:52.974207 BSSID:00:60:b3:67:6c:40 DA:Broadcast SA:00:60:b3:67: 6c:40 Beacon (proxim) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 6 0x0000   18e2 3540 1300 0000 6400 0100 0006 7072        ..5@....d.....pr 0x0010   6f78 696d 0104 0284 0b16 0301 0605 0400        oxim............ 0x0020   0300 00                                        ... 

Ethereal

Ethereal (http://www.ethereal.com) is a UNIXand Windows-based network monitoring tool. Although not specifically designed for 802.11 analysis, it does support capturing and decoding 802.11 packets with libpcap on UNIX systems. For Windows systems, it does not have the ability to directly capture 802.11 packets, but it can read the same capture file format that is generated by the UNIX versions of tcpdump or Ethereal. This means you could gather the data on a UNIX system and then later analyze it on your Windows machine.

We'll use Ethereal for most of the enumeration section because it does offer good filtering capabilities and is cross-platform enough to the degree that we can view packet data the same way across UNIX and Windows systems.

Ethereal requires drivers capable of monitor-mode operation. It also requires that the card be placed in monitor mode before you start capturing packets.

To use Ethereal to capture 802.11 packets, place your card into monitor mode with kismet_monitor or the card-specific command and then start Ethereal. Press CTRL-K or select the Capture Start menu to bring up the Capture Options window (shown next). Check the drop-down adapter list for your wireless interface (if it is not present, type in the interface name). You can configure the rest of the options as per your needs. Note that you do not need to be concerned with the "Capture packets in promiscuous mode" box. The card is placed in monitor mode before Ethereal is run, so this switch will not have an effect on the captured results.

The Ethereal interface is divided into three panes, as shown in Figure 8-9. The top window is the packet list pane and provides a summarized list of the packets captured. The middle pane shows a detailed breakdown of the packet selected in the packet list, and the bottom pane is a raw hex and ASCII dump called the data view pane.

Figure 8-9: The three panes of the Ethereal interface

You've probably used Ethereal to view packets on Ethernet networks before. Using it on 802.11 networks is similar, but you are given some new options to the existing Ethereal filtering rules using the wlan category.

Consult the Ethereal documentation for a complete listing of the wlan filter subcategories .

Airfart

Started as a mere project for a college-level computer science class by Dave Smith, Evan McNabb, and Kendee Jones, and furthered contributed to by Michael Golden, Airfart became a wireless security tool created to identify and analyze wireless access points (see Figure 8-10). Comically named Airfart, for a combination of "Air" and "Traf" backwards (Traf being short for "traffic," if you already haven't figured it out,) this tool's back end is written in C and C++, with the front end entirely composed of GTK.

Figure 8-10: Airfart traffic analysis interface

The Airfart tool supports all Prism2 drivers and can be utilized with any standard Prism2 chipset-compatible wireless card. The Linux- borne GTK interface of Airfart displays the MAC address of the identify AP, its SSID, the corresponding manufacturer (as correlated by the MAC), the signal strength, the number of packets received, and whether it's still active or not. Installation and usage is simple and on par with most Linux and UNIX make/make install utilities. The Airfart source can be downloaded from SourceForge at http://airfart.sourceforge.net.

AiroPeek NX

AiroPeek NX (http://www.wildpackets.com) is a commercial 802.11 monitoring and analysis tool available for Windows 2000 and XP. A few other commercial solutions for 802.11 packet captures are available on Windows, but AiroPeek NX is the most usable and is priced the lowest . Unfortunately, there are no free tools available to perform packet capturing on Windows operating systems, so if you are stuck in Windows, using AiroPeek NX or another commercial product is your only option. AiroPeek supports Lucent and Cisco 802.11b cards and also has support for some of the newer 802.11a cards. AiroPeek NX is primarily designed for wireless network troubleshooting and analysis, but it does have some security friendly options as well (see Figure 8-11).

Figure 8-11: The AiroPeek NX Packets tab

AiroPeek NX supports channel scanning at a user -defined interval as well as decrypting traffic on the fly with a provided WEP key. AiroPeek NX's filtering is also very easy to configure, and you can save off filter combinations to template files. This gives you the ability to quickly switch between filter groups you may use for network discovery and other groups you may use for in-depth analysis. AiroPeek NX also provides a useful Nodes view, which groups detected stations by their MAC address and will also show IP addresses and protocols observed for each. The Peer Map view presents a matrix of all hosts discovered on the network by their connections to each other. This can make it very easy to visualize access point and client relationships.

WifiScanner

WifiScanner is a 802.11b wireless network scanner that identifies wireless access points. It is a rough interface written for Linux platforms utilizing the Prism2 card chipset. Information that is presented to users includes the AP's MAC address, SSID, channel, encryption strength (if any), number of packets received, and whether the AP is still active (see Figure 8-12).

Figure 8-12: WifiScanner Linux command-line interface

Each packet that is captured is displayed to a scrolling screen, as shown in Figure 8-12. The list will continue to scroll as long as packets are retrieved. The top window of WifiScanner is similar to an executive dashboard, providing high-level information about the access points. Airfart was created with the same idea in mind, and the interface is much cleaner. WifiScanner can be downloaded from its SourceForge home page at http://wifiscanner.sourceforge.net.