RE: RFMON detection

["Steven Hess" <stevehess () covad net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I tried to see what could be done with the rather crude tools I have
at my disposal. I was awaiting a tower crew to finish, and the TV
transmitters were off, making an unusually quiet RF environment. 

Agilent E440 B Spectrum Analyzer
2.4 gig antenna from Belkin network card
Sharp Zaurus running Kismet
Ambicom Model WL1100C-CF 802.11 CF card
Linksys WPC11 PCMCIA card
Linksys BEFW 1154 WAP
Linksys WSB24 signal booster

The AP was set up, and the PCMCIA was put in a laptop. The Zaurus was
either running Kismet - or accessing the AP normally. 

I had a little trouble detecting the main carriers at 2.4 gig. There
is no continuous carrier, but a series of fast peaks running about
13db above reference of 650 mV. Digital signals are hard to pull out
of the grass. A satellite digital signal on an analog satellite
receiver just looks like noise - and I believe it can be a few db
down from the noise floor and still work. 

For this setup the best way was to single sweep at random and snap a
spectrum picture. The system I have would be better served with a
"personality" for 802.11x - like it has for QPSK or CDMA. No such
luck - a standard spectrum was the only way I could see the carriers.

Even with the antenna parked right up on the Zaurus, I could not find
an IF. However, this may have something to do with the bandpass of
the 2.4 gig antenna - I have no idea how many dB down in sensitivity
at the supposed IF frequency that particular antenna was. 


- -----Original Message-----
From: hax [mailto:uberhax () gmail com] 
Sent: Saturday, July 10, 2004 2:09 AM
To: stevehess () techie com
Cc: Austin Godber; security-basics () securityfocus com
Subject: Re: RFMON detection


> The detection of radio reception is utilized in the following
> systems.  
>
> Neilsen / Arbitron channel detection - short range detection of the
>   television or radio IF frequency, to determine the channel or 
> frequency the viewer or listener is tuned to. For example, this is
> the   method the Neilsen set top box detects the viewed channel in
> a metered   household. (system is going away with the APM rollout).
> I believe the   BBC uses a similar system in mobile vans to catch
> unlicensed (untaxed)   TV receivers in Great Britain.
>
> IMHO - It is theoretically possible to detect the IF frequency of
> the   802.11x card, as they all use analog RF detection methods.
> However,   the card RF section is usually shielded, and 2.5 gig
> band is full of   everything from microwave ovens, at approx 2150
> MHz, to portable
> phones. Very noisy analog area. Your mileage could vary.

Well, I guess that's the answer to the RFmon question.
It'd be interesting if anyone has the equipment laying around to do
top box detection to see if it could be modified for 802.11, if for
nothing else than proof of concept.

- --hax


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQO+wVCIuNDPeTcEfEQIsTACgtahS4//7i3sju1DRmkCWouZyPeYAoNb/
KPTHDP8mQOcuqZgut7pQ/T5u
=qmzv
-----END PGP SIGNATURE-----



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------