Many people think that it is easy to track down and catch an attacker who has made an illicit access using your Wireless Network. In this post I will explain why it is not so easy.
First, it is not necessary to broadcast to monitor wireless traffic. The attacker can remain passive. In a passive attack, the attacker could be siting on a hilltop 200km away from your site. They do not need to send any packets back to you, just to sniff the secrets going by. In this case there is next to no hope of catching the attacker – or for that matter even knowing that you are being attacked in the first place. This is where the value of a good security infrastructure comes into play.
What most people think of and where we have at least a small chance is the active attacker. This is the attacker who is actively interacting with your network and systems and not just waiting for traffic to randomly float past. One thing to remember, passive attackers can become active attackers without notice.
So let’s address this in detail.
To do so, let’s look at the threats first, we have:
- Friendly – unprotected wireless networks deployed in ignorance.
- Malicious – This is either a malicious rouge attacker or a planted rouge network or AP.
- Unintended – Equipment deployed without authorisation and likely incorrectly configured (this group commonly includes Infrastructure rogues).
There are a variety of means to discover rogues on the wireless network. These include:
- Wired-side AP fingerprinting
- Wired side MAC prefix analysis
- Wireless-side warwalking
- Wireless-side client monitoring
- Wireless-side WLAN IDS
In the case of an attacker external to the network, we can ignore options 1 and 2. If the attack was a rogue device (an AP for instance) on the wired-side network, scanning is legally ok. The scanning of your own equipment is an acceptable legal option. This still does not allow the right to actively attack the device on discovering it is a rogue. This is a matter of intention.
As for Wireless-side analysis… This is easy to do, but it is time consuming, error prone (there is a risk of false-negatives and a good chance of false positives) and is likely to bypass or incorrectly correlate moving targets.
Kismet will allow you to save filters based on the BSSID’s and MAC addresses discovered. Kismet would then be configured to ignore all authorised networks. This allows the creation of a baseline. The baseline allows for the alerting of exceptions – that is unauthorised AP’s. (In rfmon mode, Kismet will be virtually undetectable by conventional methods).
AiroPeek NX is a commercial option for those companies that do not like to use open source software. Either method is time consuming and requires an audit for a “point in time” event. Warwalking can not be set to wait and report on exceptions.
AirWave RAPIDS is a commercial option to conduct both wired-side and wireless-side monitoring and assessment. It monitors and reports on wireless activity and flags (and alerts) new networks as potential rogue AP’s. This is an expensive option with a license required for all clients. There are also issues. Either poor monitoring facilities will result or wireless networking will be impacted for the hosts.
There are Wireless-side LAN IDS deployments. Aruba is an example. Again these are costly and require that a sensors is deployed at all facilities using wireless (and if you really want to be safe those that do not as well).
None of this helps us find the rogue – we only find out that one may exist.
So how can we discover the rogue you ask finally?
First there is a manual analysis process using the signal-to-noise ratios (SNR). SNR is maximised when the devices are associated. In this, the idea is to map the SNR and locate the antenna (note the antenna and not the rogue itself). These techniques rely heavily on guess-work. Kismet and a GPS will help.
Directional analysis makes this a little easier. This requires a directional antenna and RSSI (Radio Signal Strength Information which is the signal and noise levels associated with a wireless device). Channel hoping should be disabled when doing this and it is essentially a matter of trial and error.
Rapfinder (open source) is a tool that aids in this process. AirMagnet is a commercial tool (handheld) that is designed to locate the source of the radio signal (as you get closer the clicks increase in frequency like a Geiger counter).
Next we get to triangulation. Even this is not 100% accurate due to RF interference, signal loss and radio signal distribution patterns (which vary based on the physical position). Aruba AirMonitor with 3 sensors will find local AP’s with a fair degree of accuracy.
However, this takes us to the point. An attacker is not always going to be placed locally. The range with a good yaggi high gain antenna is a radius of over 10km. That is over 300 square km. So have fun searching, it is about 30,000 households, businesses etc ...
It is not a flippantly easy task to track a wireless attacker. People get lucky, this is about how it works.