Tuesday, September 28, 2010

How To Install Kismet on Windows

Step One:


1.1 Download Cygwin setup from
Cygwin.com and start the installer.

1.2 Follow the instructions and install the default system. Warning: This can end up taking of a couple gig on your drive. Feel free to figure out what isn't needed and let me know.

1.3 Under Development, add the following packages to be installed:
gcc
libtool
make

Under libs, add the following:
libncures
libncurses-devel

Under Utils, add the following:
patch
patch-utils
tzcode time

1.4 Let the installer do it's thing until Cygwin is installed

1.5 Start Cygwin and once you get a prompt type the following to setup cygwin so the compiler can see your local windows users:

mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group

Step Two:


2.1 Download the GPSD 2.30 tarball

2.2 Untar the GPSD tarball with the following:

tar -zxvf gpsd-2.30.tar.gz

then copy the cygwin-2.diff file into the newly created gpsd-2.30 directory

cp cygwin-2.diff gpsd-2.30

2.3 Now we need to patch the GPSD source so that Cygwin can compile. Switch into the gpsd directory and patch the source:

cd gpsd-2.30
patch <>

You should see the following, if you don't try again from the beginning:

patching file configure
patching file gpsd.h
patching file serial.c
patching file sirfmon.c

Now we can start compiling GPSD with:

./configure
make
make install

Provided you have installed all the packages nessecary, GPSD should compile with a minimal amount of complaining.

Step Three:

3.1 Depending on your GPS reciever, there may be some changes nessecary to running GPSD. However with my limited testing, I've found you should be able to get by with just the following:

./gpsd /dev/comX

Where 'X' is the number of the com port your reciever is hooked up to (com1, com2, etc).

3.2 Provided your reciever is outputting NMEA sentences and has a fix, you can test GPSD quickly through telnet:

telnet localhost 2947
Once connected, type 'r' for raw mode

You should be seeing GPS NMEA strings go flying by. If you don't, double check your reciever and port.

Step Four:

Provided GPSD is reading the strings, there should be no major changes required to Kismet to get it to work. Just make sure that the kismet.conf file is setup to use a GPS (it is by default), and make sure GPSD is running before you start Kismet and you should see the coordinates on the screen

Saturday, September 25, 2010

Detect Rogue access points using Net Stumbler

Detecting the Device

There are a couple of ways of detecting rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site.

One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support GPS cards. This lets NetStumbler create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a rogue AP is to take a laptop that's running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You'll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can use the signal strength to narrow down your search to a single room. After that, you'll just have to hunt around the room until you find the access point.

One thing to keep in mind when using NetStumbler: if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b card will not detect it. That's because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range

Thursday, September 23, 2010

How to block rogue access point

Once a rogue AP is discovered the next immediate step is to block the AP from the network so that the authorized clients don’t associate with it.
There are two ways of blocking the rogue APs.
1. Tit for Tat: Launch a Denial-of-service (DoS) attack on the rogue AP and make it deny wireless service to any new client.

2. Pull it out of the network: Either the WLAN administrator can manually locate the AP and pull it physically off the LAN OR block the switch port to which the AP is connected.


Launching a DoS attack on the rogue: AP Most Wireless IDS vendors follow this practice. This is kind of using offence for defence. Once a rogue AP is detected the WLAN administrator can use the sensor to launch a DoS attack on it by sending numerous disassociation packets.





Saturday, September 11, 2010

How to detect a rogue access point

Rogue Access Point Detection

Rogue detection is a two step process starting with discovering the presence of an Access Point in the network and then
proceeding to identify whether it is a rogue or not. Some of the very commonly used techniques for AP discovery are:

! RF scanning
! AP scanning
! Using wired side inputs

RF scanning: Most WLAN IDS vendors follow this technique. Re-purposed access points that do only packet capture and analysis (a.k.a RF sensors) will be plugged all over the wired network. These sensors will be quick to detect any wireless device operating in the area and can alert the WLAN administrator. But the draw back of these sensors is the possibility of dead zones, which are not covered by the sensors. If a rogue Access Point finds its place in any of these dead zones, it might go unnoticed till more sensors are added.


AP Scanning: Few Access Point vendors have this functionality of detecting neighbouring Access Points. If you deploy such Access Points in your WLAN it will automatically discover APs operating in the nearby area and expose the data through its web interface as well as its MIBs. Though it is a very useful the ability of the AP to scan neighbouring devices is limited to a very short range. Rogue APs operating outside this coverage area will go unnoticed. Moreover this works only for those who deploy APs with such functionality.


Wired Side Inputs: Most network management software use this technique to discover Access Points. This software use multiple protocols to detect devices connected in the LAN, including SNMP, Telnet, CDP (Cisco Discovery Protocol – specific to Cisco devices) etc. This approach is very reliable and proven as it can detect an AP anywhere in the LAN irrespective of its physical location. Moreover, wireless NMSs can not only discover the AP but also constantly monitor it for health and availability. The bandwidth utilization of the AP over a period of time can be obtained and plotted in a graphical format. For ease of troubleshooting the operator can set thresholds on various AP parameters to get notified prior to the occurrence of a fault. The limitation with this method is that any AP that doesn’t support SNMP/Telnet etc. will go unnoticed by the
network management software.

Sunday, August 29, 2010

How to defend from rogue access point

There are a couple of ways of detecting Rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support the use of a GPS card. This allows NetStumbler to create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a Rouge AP is to take a laptop that's running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You'll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can probably use the signal strength to narrow down your search to a single room. After that, you'll just have to hunt around the room until you find the access point.

One thing you should keep in mind when using NetStumbler is that if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b NIC will not detect it. That's because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range.

Figuring out which access points are, in fact, rogue may sometimes be difficult. To avoid confusion, it's best that you judiciously document all of the access points in use in your business. If not, you might think you have a rouge AP on your network when one doesn't exist. For example, if your office has one AP and you suddenly detect two, you'd probably assume that one of the access points is rogue. This isn't always the case, though. For instance, one time I was attempting to set up a new AP in a small office and while trying to establish a connection between my laptop and the new AP a DHCP server in an adjoining office had automatically assigned an IP address to my system. Now, was this a rogue access point? No. Instead my wireless NIC was receiving a signal from a completely legitimate source that posed no danger to my network. Knowing how to identify the difference between a neighboring AP and a serious threat will save you plenty of headaches.

These techniques should work well enough in a small office, but for larger environments, you should really consider investing in something a bit more specialized. There are a number of proprietary solutions available from a variety of creditable vendors. These vendors will deploy an advanced RF monitoring system into your network that can monitor the air and detect access points. Some have even gone as far as being able to classify if a unauthorized AP is actually plugged into the network and is causing an immediate threat or if it's just the local Starbucks across the street. Many of these systems can be deployed for pennies per square foot.

If you have such an environment, I'd recommend visiting the Aruba Networks Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), wireless products from Aruba can help you gain far greater control over your wireless network environment. Products from AirMagnet and AirDefense are also popular choices for wirelessnetwork security. These products allow you to track down the rogues based on channel, MAC address, radio band, SSID (define) or vendor. On top of that they can monitor the air 24/7 and send alerts if a rogue is detected. They can also alert you to repeated authentication failures that might signal the presences of a hacker.

Every enterprise class wireless network should have a wireless IDS/IPS system in place. A wireless IDS/IPS is an Intrusion Detection/Intrusion Prevention System. A full featured IDS/IPS will detect and "kill" Rogue APs, detect and stop denial of service attacks, man in the middle attacks and report on suspicious activity

Wednesday, August 18, 2010

rogue access point

gue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator,[1] or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can ignorantly or maliciously install an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network.

To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Presence of large number of wireless access points can be sensed in airspace of typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. Wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to find out if there are any rogue access points among them.

In order to detect rogue access points, two conditions need to be tested: i) whether or not the access point is in the managed access point list, and ii) whether or not it is connected to the secure network. The first of the above two conditions is easy to test - compare wireless MAC address (also called as BSSID) of the access point against the managed access point BSSID list. However, automated testing of the second condition can become challenging in the light of following factors: a) Need to cover different types of access point devices such as bridging, NAT (router), unencrypted wireless links, encrypted wireless links, different types of relations between wired and wireless MAC addresses of access points, and soft access points, b) necessity to determine access point connectivity with acceptable response time in large networks, and c) requirement to avoid both false positives and negatives which are described below.

False positive (crying wolf) occurs when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point.

False negative occurs when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes.

If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as “wired rogue”). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access points. Among the external access points, if any is found to be mischievous or potential risk (e.g., whose settings can attract or have already attracted secure network wireless clients), it is tagged as rogue access point of the second kind (also called as “honeypot”).