Tuesday, September 28, 2010

How To Install Kismet on Windows

Step One:


1.1 Download Cygwin setup from
Cygwin.com and start the installer.

1.2 Follow the instructions and install the default system. Warning: This can end up taking of a couple gig on your drive. Feel free to figure out what isn't needed and let me know.

1.3 Under Development, add the following packages to be installed:
gcc
libtool
make

Under libs, add the following:
libncures
libncurses-devel

Under Utils, add the following:
patch
patch-utils
tzcode time

1.4 Let the installer do it's thing until Cygwin is installed

1.5 Start Cygwin and once you get a prompt type the following to setup cygwin so the compiler can see your local windows users:

mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group

Step Two:


2.1 Download the GPSD 2.30 tarball

2.2 Untar the GPSD tarball with the following:

tar -zxvf gpsd-2.30.tar.gz

then copy the cygwin-2.diff file into the newly created gpsd-2.30 directory

cp cygwin-2.diff gpsd-2.30

2.3 Now we need to patch the GPSD source so that Cygwin can compile. Switch into the gpsd directory and patch the source:

cd gpsd-2.30
patch <>

You should see the following, if you don't try again from the beginning:

patching file configure
patching file gpsd.h
patching file serial.c
patching file sirfmon.c

Now we can start compiling GPSD with:

./configure
make
make install

Provided you have installed all the packages nessecary, GPSD should compile with a minimal amount of complaining.

Step Three:

3.1 Depending on your GPS reciever, there may be some changes nessecary to running GPSD. However with my limited testing, I've found you should be able to get by with just the following:

./gpsd /dev/comX

Where 'X' is the number of the com port your reciever is hooked up to (com1, com2, etc).

3.2 Provided your reciever is outputting NMEA sentences and has a fix, you can test GPSD quickly through telnet:

telnet localhost 2947
Once connected, type 'r' for raw mode

You should be seeing GPS NMEA strings go flying by. If you don't, double check your reciever and port.

Step Four:

Provided GPSD is reading the strings, there should be no major changes required to Kismet to get it to work. Just make sure that the kismet.conf file is setup to use a GPS (it is by default), and make sure GPSD is running before you start Kismet and you should see the coordinates on the screen

Saturday, September 25, 2010

Detect Rogue access points using Net Stumbler

Detecting the Device

There are a couple of ways of detecting rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site.

One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support GPS cards. This lets NetStumbler create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a rogue AP is to take a laptop that's running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You'll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can use the signal strength to narrow down your search to a single room. After that, you'll just have to hunt around the room until you find the access point.

One thing to keep in mind when using NetStumbler: if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b card will not detect it. That's because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range

Thursday, September 23, 2010

How to block rogue access point

Once a rogue AP is discovered the next immediate step is to block the AP from the network so that the authorized clients don’t associate with it.
There are two ways of blocking the rogue APs.
1. Tit for Tat: Launch a Denial-of-service (DoS) attack on the rogue AP and make it deny wireless service to any new client.

2. Pull it out of the network: Either the WLAN administrator can manually locate the AP and pull it physically off the LAN OR block the switch port to which the AP is connected.


Launching a DoS attack on the rogue: AP Most Wireless IDS vendors follow this practice. This is kind of using offence for defence. Once a rogue AP is detected the WLAN administrator can use the sensor to launch a DoS attack on it by sending numerous disassociation packets.





Saturday, September 11, 2010

How to detect a rogue access point

Rogue Access Point Detection

Rogue detection is a two step process starting with discovering the presence of an Access Point in the network and then
proceeding to identify whether it is a rogue or not. Some of the very commonly used techniques for AP discovery are:

! RF scanning
! AP scanning
! Using wired side inputs

RF scanning: Most WLAN IDS vendors follow this technique. Re-purposed access points that do only packet capture and analysis (a.k.a RF sensors) will be plugged all over the wired network. These sensors will be quick to detect any wireless device operating in the area and can alert the WLAN administrator. But the draw back of these sensors is the possibility of dead zones, which are not covered by the sensors. If a rogue Access Point finds its place in any of these dead zones, it might go unnoticed till more sensors are added.


AP Scanning: Few Access Point vendors have this functionality of detecting neighbouring Access Points. If you deploy such Access Points in your WLAN it will automatically discover APs operating in the nearby area and expose the data through its web interface as well as its MIBs. Though it is a very useful the ability of the AP to scan neighbouring devices is limited to a very short range. Rogue APs operating outside this coverage area will go unnoticed. Moreover this works only for those who deploy APs with such functionality.


Wired Side Inputs: Most network management software use this technique to discover Access Points. This software use multiple protocols to detect devices connected in the LAN, including SNMP, Telnet, CDP (Cisco Discovery Protocol – specific to Cisco devices) etc. This approach is very reliable and proven as it can detect an AP anywhere in the LAN irrespective of its physical location. Moreover, wireless NMSs can not only discover the AP but also constantly monitor it for health and availability. The bandwidth utilization of the AP over a period of time can be obtained and plotted in a graphical format. For ease of troubleshooting the operator can set thresholds on various AP parameters to get notified prior to the occurrence of a fault. The limitation with this method is that any AP that doesn’t support SNMP/Telnet etc. will go unnoticed by the
network management software.