Home: www.packetnexus.com
Sniffing Wireless From Remote Locations Summary: A friend of mine got me started on the subject of wireless lan and the insecurities of it. Bascially, a wireless LAN uses radio signals, like most other things wireless. This being the case, why could we not turn our laptops into radios capable of receiving these signals? Hardware: Sony Vaio SR-5k running OpenBSD 2.8 Toshiba Satelite Pro 415CS(P-90, 16mb, 1gig) running FreeBSD 4.2-RELEASE Lucent Wavelan Gold (128 bit encryption) Lucent Wavelan Antenna promiscuous interface software such as tcpdump and dsniff Tips: Install the nessisary network and security auding tools such as dsniff, nmap, hping, nbaudit(you will see lots of windows machines) from the ports tree, smbtcpdump, samba also if you wish to map shares. Listening In: To start listening what I do is have a virtual console w/ a shell prompt for me to issue commands from, one with tcpdump -n running(you monitor this for traffic), another virtual console and tcpdump logging to file, remeber to set the snaplen to something a little more reasonable than the defualt of 96 bytes otherwise all you will capture is the first 96 bytes. By saving to a file you can go back and run tcpdump with the -r option and use diffrent options, or run strings on the file to look for interesting text. Now, you need to have your wi adaptor set up to some reasonable settings, for best results hunting i use "wicontrol -i wi0 -p 1 -f 3", 3 is the default channel, that the cards seem to be on, -p 1 puts the interface in BSS(Basic Service Set) infrastructure mode, by default the interface is in ad-hoc mode. In infrastructure mode every machine sends all it's traffic to one central point(i.e Access point or gateway). We are hunting for access points, because they are usually set up with an Antenna, and thus are easier to find than an Ad-hoc network of a few computers. After a few minutes of driving(in an urban enviornment) around and looking at the screen with tcpdump -n running you should start to see some traffic. Determining What you are Seeing. Get the list of OUI #'s from IEEE(Aids in determining what type of equipment is on the network), The list of networks and who owns the IP block from ARIN. Helps you figure out what network you are looking at while on the network, keep a local copy on the laptop so you can refrence this while in the field. Assign your self an IP, usually you are seeing non-routable IP's because this network is behind a firewall/NAT box, and that gives you the ability to choose from a large number of IP's. Once you have an IP then you can proceed to map and audit their network for vulnerabilites. Once you get back home go over your logs, and make a mental note of where you were when you got this dump, then if there is something that identifys it as company XXX, look at company XXX's website and determine where their office is. What you will most likely see: One thing that will become apparent is that a lot of these networks Windows/Novell, from the amount of SMB and IPX/SPX that you will see. I also saw a signifigant amount of IP multicast at certain places. Status: Still in development and exploration I'd like to correlate my position via GPS with the time stamps from tcpdump logs so I can automate the process of figuring out where I was when I got this traffic and the streingth of the signal. And possibly integrate and plot it with some GIS software/data. The data for the 15minute sectionals is freely availabe from the USGS