Re: Mapping wireless LANS from the wired side

[Ted Doty <tdoty () mindspring com>]

On Monday 20 August 2001 07:51 pm, Joe Shaw wrote:

> There's no need for sniffing involved.  With an Aironet or Cisco card and
> the Cisco signal software I can walk around 802.11b enabled facilities and
> get the signal strength, signal quality and name of the AP I'm associated
> with.  As I walk around, I associate with more powerful AP's.  There's no
> way to do this from the wired side.  

This is correct, but is impractical if you have a lot of physically isolated 
locations and a small staff.  Good practice, to be sure - you definately get 
accurate audit information by walking around, but it would be nice not to 
have to wait until the annual physical audit (you *do* have these, don't 
you?) to find all the wireless stuff.

> The problem is that some manufacturers aren't using different MAC
> addresses to diferentiate their wired stuff from their wireless stuff.
> Furthermore, some manufacturers don't even make their own wireless
> equipment and OEM it from others.  Xircom cards are OEM Cisco/Aironet.
> Dell is OEM Orinoco.  I'm sure there are counltess others.  Furthermore,
> an AP does not necessarily need a vaild IP address to put traffic on the
> wired network or be wired to sniff from the wireless side.

Some of this is simplified if you use switched (wired) network topology.  
Most switches can be configured to capture the MAC address of the end 
station.  If there are multiple MAC addresses on a given port, and if one of 
them isn't an authorized bridging device, this should be suspicious.  
Wireless or wired, it means someone's messing with your network.

> If you want to be really evil, you don't even us an AP.  Just build a very
> small PC (libretto?) running whichever BSD or Linux you want, put in an
> Aironet card, start dsniff and you're done.  It will never be found by
> anyone looking without real RF gear unless you don't hide it well.  The
> reason is that I've found that when I put my Aironet 4800 PC card into
> promiscuous mode it completely loses the ability to send any information,
> including it's MAC address for ARP requests.  Put it in monitor mode, and
> you get raw 802.11 frames (for useful things like cracking WEP) with the
> same end result of no transmission of packets.  I do not take credit for
> the libretto idea, as it was not mine.  There are many of us doing our own
> wireless research, and we're all starting to collaborate now.  By the end
> of summer you'll see a lot more in the area of 802.11b attack tools.
> Take a look at sourceforge and you'll find several public projects.  I
> know of at least twice that many currently being developed under wraps.

Well, if you want to counter evil with evil, you can deploy old, excess 
equipment with a wireless NIC to listen for 802.11 beacon signals.  Probably 
would be pretty easy to send an SNMP trap if it ever found something.  The 
difficulty is that many locations expect to see 802.11, if only from 
neighboring companies in the same building.  :-p

Still, having a canonical list of locations where 802.11 is present is a 
pretty good start for the security guys.

I guess this is pretty far off-topic from the point of view of a pen-test.

- Ted

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/