Performing a Wireless Network Security Assessment

It would be easy for me to tell you that due to the security dangers of wireless networking, you should just not allow any wireless access on your network. However, that would be analogous to telling you to stick your head in the sand and hope the problem will go away. Wireless access is not going away. It is one of the hottest areas for growth and investment in the technology area. Vendors are churning out wireless adapters for all kinds of devices at a scary and ever-cheaper rate. Many retail companies such as McDonald's and Starbucks are installing wireless access points in their stores to attract customers. Intel Centrino laptops have a wireless radio built right in. Your users will come to expect the freedom that wireless LAN technology brings. They will want to be able to log on with their wireless-enabled laptops anytime, anywhere. This means that you are going to have to deal with your wireless security sooner or later. The tools in this chapter will help you assess your wireless network security and take steps to improve it if need be. It will also help you to deploy a wireless LAN solution more securely if you are doing it for the first time.

Equipment Selection

To perform wireless network security assessments, you will need at a minimum a wireless network card, a machine to run it on, and some software.

Wireless Cards

Most of the software covered in this chapter is free, but you will have to buy at least one wireless network card. There are many different manufacturers to choose from and prices are quite competitive. Expect to pay from $40 to $80 for a basic card. You will want to carefully research your choice of manufacturers and models because not all cards work with all wireless software packages.

There are basically three different chipsets for 802.11b devices. The Prism II chipset by Intersil is probably the most common and is used by Linksys, the largest manufacturer of consumer wireless cards. The Lucent Hermes chipset is used in the WaveLAN and ORiNOCO cards and tends to be in higher-end corporate equipment. Cisco has its own proprietary chip, which has some special security features. The Prism II cards will work on Kismet wireless, the Linux software reviewed in this chapter, but not on the Windows platform. D-Link cards work with Windows but not with the Windows security toolkits that are commonly available. Also, models of particular manufacturers can be important. The older Linksys USB cards used a different chipset and do not work on well Linux.

To add to this confusion, some of the newer protocols aren't supported yet by many packages. The current versions of the software packages reviewed in this chapter don't support the newer 802.11g standard. The major vendors have yet to release their interface code for software developers to write to. Once they do, the drivers should become available shortly thereafter. You should check the respective software Web sites before purchasing your equipment for supported cards and protocols. For purposes of these reviews, I used the ORiNOCO Gold PCMCIA card, which works well with both the Windows and Linux software.

Hardware and Software

In terms of hardware to load the software on, just about any decently powered machine will do. The UNIX software ran fine for me on a PII 300 with 64MB of ram. The Windows software should also run on a system like this. You should definitely load the software on a laptop since you are going to be mobile with it. There is a Palm OS version of Kismet Wireless and a Pocket PC version of NetStumbler available, so you can even put them on palmtops. There are now wireless cards available for both major platforms (Palm and Pocket PC) of the smaller handheld computers that can take advantage of this software.

You should also make sure you have plenty of hard disk space available if you intend to attempt cracking WEP keys. This requires anywhere from 500MB to several gigabytes of space. Be careful not to leave the machine unattended if you are sniffing wireless data and don't have a lot of extra space—you could easily fill up your hard drive and crash the computer.

If you are auditing your wireless perimeter and want to know exact locations, you may also consider getting a small handheld GPS receiver. Make sure your GPS device has an NMEA-compatible serial cable to interface with your laptop. With this hardware, you can log the exact points from which your wireless access points are available. The products covered in this chapter have the capability to take GPS data directly from the receivers and integrate it into the output. Finally, if you can spring for GPS-compatible mapping software such as Microsoft MapPoint, you can draw some really nice maps of your assessment activity.

Antennas

For wireless sniffing around the office, the built-in antennas on most cards work just fine. However, if you really want to test your wireless vulnerability outdoors, you will want an external antenna that lets you test the extreme range of your wireless network. After all, the bad guys can fashion homemade long-range antennas with a Pringles can and some PVC. You can buy inexpensive professional-grade wireless antennas from several outfits. I bought a bundle that came with the ORiNOCO card and an external antenna suitable for mounting on the top of a car.

This is another reason you need to choose your wireless card carefully. Some cards allow external antennas to be attached but others do not. You should be sure the card(s) you purchase have a port for one if you intend to do wireless assessments. Cards known to allow external antennas are the ORiNOCO mentioned earlier as well as the Cisco, Samsung, and Proxim cards.

Now that you have the background and the gear, let's check out some free software that will let you get out there and do some wireless assessments (on your own network, of course!).

NetStumbler is probably the most popular tool used for wireless assessments, mainly because it is free and it works on the Windows platform. In fact, it is so popular that its name has become synonymous with war driving, as in "I went out NetStumbling last night." I guess the author so-named it because he "accidentally" stumbled on wireless networks while using it.

NetStumbler isn't considered truly open source since the author doesn't currently make the source available. However, it is freeware and it is worth mentioning since it's the most widely used tool on the Windows platform. There are many open source add-ons available for it (one of these is discussed later in this chapter). It also has a very open source mentality in terms of its user community and Web site. The Web site is highly informative and has lots of good resources for wireless security beyond just the program. There is also a mapping database where other NetStumblers enter access points that they found while using the program. If your company's wireless network is in the database and you want it removed, they will be happy to do that for you.

Installing NetStumbler

Using NetStumbler

In the MAC column, you can see a list of access points NetStumbler has detected. The network icons to the left of the MAC address are lit up green if they are currently in range. The icon turns yellow and then red as you pass out of range. Inactive network icons are gray. The graphic also shows a little lock in the circle if that network is encrypted. This gives you a quick way to see which networks are using WEP. NetStumbler gathers additional data on any point that it detects. Table 10.2 lists the data fields it displays and what they signify.

Table 10.2. NetStumbler Data Fields
Data Fields	Descriptions
MAC	The BSSID or MAC address of the base station. This is a unique identifier assigned by the manufacturer, and it comes in handy when you have a lot of stations with the same manufacturer default SSID such as linksys.
SSID	The Station Set Identifier that each access point is set up with. This defines each wireless network. You need this to log on to any wireless network, and NetStumbler gladly gathers it for you from the beacon signal. As noted in the MAC field description, this is not necessarily a unique ID since other base stations may have the same SSID. This could be a problem if two companies in the same building are using default SSIDs. Employees may end up using another company's network or Internet connection if it is not set up correctly with a unique SSID.
Name	The descriptive name, if any, on the access point. Sometimes the manufacturer fills this in. The network owner can also edit it; for example, Acme Corp Wireless Network. Leaving this name blank might be a good idea if you don't want people knowing your access point belongs to you when they are war driving around.
Channel	The channel the base station is operating on. If you are having interference problems, changing this setting on your access point might eliminate them. Most of the manufacturers use a default channel. For example, Linksys APs default to 6.
Vendor	NetStumbler tries to identify the manufacturer and model of the wireless equipment found using the BSSID.
Type	This tells you whether you found an access point, a network node, or some other type of device. Generally you will be finding access points that are signified by `AP`. Wireless nodes show up on here as `Peer`. This is why, even without a wireless network set up, having wireless cards in your PC can be risky. Many laptops now come with built-in wireless radios, so you may want to disable these before they are initially deployed if the users are not going to be using them.
Encryption	This shows what kind of encryption the network is running, if any. This is very important; if the network isn't encrypted, outsiders can pull your network traffic right out of the air and read it. They can also log onto your network if other protections aren't in place.
SNR	Signal-to-Noise ratio. This tells you how much other interference and noise is present at the input of the wireless card's receiver.
Signal	The signal power level at the input to the receiver.
Noise	The noise power level at the input to the receiver.
Latitude	Exact latitude coordinates if you are using a GPS receiver with NetStumbler.
Longitude	Exact longitude coordinates if you are using a GPS receiver with NetStumbler.
First seen	The time, based on your system clock, when the network's beacon was first sensed.
Last seen	NetStumbler updates this each time you enter an access point's zone of reception.
Beacon	How often the beacon signal is going out, in milliseconds.

As you go about your network auditing, the main NetStumbler screen fills up with the wireless networks that you find. You will probably be surprised at the number of networks that show up around your office. And you will be even more surprised at how many have encryption turned off and are using default SSIDs.

The left side of the screen displays the different networks detected. You can organize them using different filters. You can view them by channel, SSID, and several other criteria. You can set up filters to show only those with encryption on or off, those that are access points or peers (in ad-hoc mode), those that are CF pollable (provide additional information when requested), and any that are using default SSIDs.

On the bar along the bottom of the main screen you can see the status of your wireless network card. If it is functioning properly, you will see the icon blinking every second or so and how many active access points you can see at that moment. If there is a problem with the interface between your network card and the software, you will see it here. On the far right of the bottom bar is your GPS location if you are using a GPS device.

The blinking indicates how often you are polling for access points. NetStumbler is an active network-scanning tool, so it is constantly sending out "Hello" packets to see if any wireless networks will answer. Other wireless tools, such as the Kismet tool discussed later in this chapter, are passive tools in that they only listen for the beacon signals. The downside of the active tools is that they can miss some access points that are configured not to answer polls. The upside of an active scanning tool is that some access points send out beacon signals so infrequently on their own that you would never see them with a passive tool. Also, keep in mind that active polling can set off wireless intrusion detection systems. However, very few organizations run wireless detection systems, and if you are using NetStumbler only as an assessment tool for your own network, then being stealthy shouldn't be that important to you.

If you click on an individual network in this mode it shows a graph of the signal-to-noise ratios over the times that you saw the network. This lets you see how strong the signal is in different areas (see Figure 10.5).

NetStumbler Options

Under the View menu, select the Options submenu to display the dialog box for setting NetStumbler options. Table 10.3 lists the tabs and the choices available.

Table 10.3. NetStumbler Options
Tabs	Descriptions
General	Set the rate of polling for your access points. You can also set it to auto-adjust based on your speed if using GPS. There is an option to automatically reconfigure your card when a new network is found, but you probably don't want to do this in a busy area—if there are a lot of access points around, your card will be changing configuration every few seconds and it will slow your computer down. Also, the software may end up configuring your card for a foreign network and you could be trespassing inadvertently. Not cool! (See the sidebar on "Tips for Effective—and Ethical—Wireless Auditing".)
GPS	Set up your GPS receiver to interface with NetStumbler. I used a Meridian handheld GPS with a serial cable. All I had to do was set the right port and communication settings and NetStumbler started importing the data right away.
Scripting	Set up to call external scripts. You can use Visual Basic or any number of Windows-based languages to do additional things based on the NetStumbler output. External programs can also use this functionality.
MIDI	You can configure NetStumbler to play the signal-to-noise ratio as a Midi file. I'm not sure why you'd want to do this as it could get noisy in an area with a lot of networks, but I guess you could use it to home in on a elusive signal by sound.

Tips for Effective—and Ethical—Wireless Auditing

Get Permission

Make sure you have permission from management to do your wireless assessment. If you are an outside consultant, you should have a letter of permission or engagement signed by upper management. If the company does not own the building, get management to clear it with building security so you have permission to be on the premises.

Determine Your Wireless Perimeter

Walk the entire perimeter and find out how far your signal goes. (A good rule of thumb is to go only in publicly accessible places that wireless crackers or war drivers would have access to.) If possible, get a map and mark your wireless perimeter on it.

Start outside what you think is a reasonable reception range and work your way in. Make a broad circle around your business premises and work your way in to find out how far out the signal goes. Then go back and make a broader circle to see if any pockets of reception extend out farther.

Sometimes quirks in the landscape or manufactured objects can cause weird extensions of the signal: it can be reflected or focused by buildings, billboards, trees, and other objects. Assume the war drivers take advantage of this.

Once you've established the perimeter, you can evaluate the pockets of reception and take steps to eliminate or reduce them. Sometimes you can decrease the distance the signal goes by moving your access points to an interior room or to the other side of the building. As mentioned earlier, many units let you adjust the signal strength to limit radiation from the building.

graphics/fire_head_icon.gif
Flamey the Tech Tip:
Be a Good Wireless Network Neighbor
When auditing your own network, it is likely that you will come across other wireless access points and nodes in the nearby area or building. Some of them will be unsecured.
Be a good neighbor and let them know that they have an unsecured access point. They may not even be aware of the dangers this poses.
Be a good neighbor and don't attempt to surf their network to demonstrate how bad their security is. Not only is this very bad behavior, but it could get you put in jail if you are caught. So resist the temptation and be a good wireless network neighbor.
Use an External Antenna
Using a card that supports the addition of an external antenna extends your range dramatically. These cards don't cost much more than the cheapest wireless NICs. The consumer varieties, such as Linksys or D-Link, generally don't support this, but it is worth paying an extra $100.00 for a better card. If you are really strapped, there are Web sites that tell how to make a homemade antenna for your card. Assume that your opponents will be able to find these sites too and will have at least as good an antenna as yours.
Audit Under Optimal Conditions
Rain, humidity, and smog can affect wireless transmission. The wavelength that 802.11b operates on resonates in water, and that can dull a signal in a rainstorm or even when there is a lot of moisture in the air. Tree leaves, due to their high water content, have the same effect. Your results in the winter may be different from those in the summer. Pick a clear, dry day to test to optimize your results.

Saving NetStumbler Sessions

NetStumbler automatically starts saving your session each time you open it. This lets you examine your NetStumbler sessions at another time. By default, sessions are saved in a native NetStumbler format. You can also save the sessions as text for importing into a spreadsheet or word processor and in the wi-scan format, which is a budding file standard for wireless sniffing logs. You can also export them in a number of formats.

NetStumbler assigns a unique number that is a combination of the date and time for each session at the top of the window (see Figure 10.5). This is helpful for tracking your sessions and results. You can change this name to something more descriptive if you like.

Now that you have a lot of data about your wireless perimeter, you may want to produce some reports, either for management or for a customer if you are doing this as a consultant. If you have been collecting GPS data, you can create some nice maps with the Microsoft MapPoint program and the open source tool discussed next.

StumbVerter is a neat little program that takes the output from NetStumbler and converts it into input for the Microsoft MapPoint program. It has functionality beyond the basic NetStumbler program, including:

You must have a legal license for Microsoft MapPoint 2002 software to use StumbVerter. I know this is getting away from the idea of free software, but the functionality this adds is well worth the extra $200.00 that MapPoint will set you back. And of course, the StumbVerter software itself is freeware. Several projects are underway to develop a program to convert NetStumbler files into something free, such as a MapQuest or MapBlast map (but none of these were far enough along as of publication to include). At any rate, if you have to present reports to management, the color maps will definitely help your case.

Installing StumbVerter

Once you have all these installed, you can start working with NetStumbler and StumbVerter.

Using StumbVerter

Green towers represent encrypted access points; red towers represent unencrypted access points. The signal strength is shown by the waves coming out of the top of the icon: the more waves, the stronger the signal.

If you single-click on a specific access point, the map centers on that point and shows you the informational balloon. Initially, this shows the network's SSID. Double-clicking on it shows all the notes associated with that AP and lets you add comments.

The View menu has several options for manipulating and cleaning up your map. For example, you can remove the Points Of Interest (POIs) that MapPoint inserts, unless you want these for illustrative purposes. You can hide certain informational balloons if you want to show only the APs. You can also use the drawing tools to add any text, graphics, or other items to the map. When you are ready to save your map, you can either save it as a native MapPoint file or choose the CSV option if you want to save it in a text format suitable for importing into other programs.

The antenna comparison feature is useful for comparing several external antennas or different cards with built-in antennas to see which ones work best. You can import up to three different NetStumbler files, and StumbVerter grades them against the same access points and shows you the results side by side (see Figure 10.7). This can be helpful in deciding what card to use or which antennas work best if you are making one yourself.

Now that you know about some great Windows tools, I will switch platforms and talk about Linux tools. While the Windows tools are easier to install and use, there are some things that the Windows tools don't do yet, such as passive scanning and WEP cracking attempts.

Kismet Wireless is one of the leading wireless sniffers for the Linux operating system. There are several programs, including AeroSniff and Prism2Dump, that work well on Linux as well. I chose to review Kismet because of its growing support base and add-on modules in addition to its support for a wide variety of wireless hardware. It is also a client-server tool like Nessus, which gives it even more flexibility.

Another nice thing about using the Linux platform is that you can run WEPcrack and AirSnort, which are Linux-only programs right now. As of publication, there weren't any really good WEP testing open source software available for the Windows platform, though I expect this to change.

Kismet has some features that go beyond the basic functionality of a program like NetStumbler. Kismet works with a number of other programs and can be designed to gather weak encryption keys for cracking attempts by external programs. You can even run Kismet in IDS mode to look for intrusion attempts coming from your wireless network.

Installing Your Network Interface Card and Drivers

Before loading Kismet, you should make sure your card supports it. Kismet currently works with the following wireless cards:

Theoretically, Kismet should work with any card that uses the Prism II and Hermes chipsets or ones that can be put into rf_mon or Monitor mode, but your results may vary. I recommend that you stick with one of the above cards for the fewest problems.

Now the fun really begins. There are several steps to getting your Linux system ready to be a wireless sniffer. These steps will vary slightly depending if you have a different hardware and software configuration than the procedure. Check the documentation on the Kismet Web site to see if there are specific instructions for your hardware.

Start by making sure your PCMCIA drivers are up to date (assuming your card uses the PCMCIA card slot). If you have installed a fairly recent version Linux, then you are probably okay. This installation example uses Mandrake Linux 9.1.
If you need the latest drivers, go to www.rpmfind.com and search for the file pcmcia-cs for your distribution. Run the RPM and it will install the latest drivers.
Make sure you have all the correct wireless drivers loaded for your card.

Wireless drivers for Linux are not quite as well supported as those for Windows and don't usually have a nice graphical interface to install them. (Hopefully this will change as vendors add support for Linux and someone produces RPMs for installing the drivers.)

I had to "roll my own" drivers, and the experience was less than fun. If possible, pick one of the supported cards; there are detailed instructions and lots of information online about them. With the ORiNOCO card, I compiled the driver located on the disk that came with the card. The latest driver is also available at www.orinocowireless.com, and several other sites offer cards based on this chipset.

If you are using a Prism II card, you need the Linux wlan-ng drivers. They are available at www.linux-wlan.org/.
Install the drivers and any patches needed for your card to operate in the Monitor mode required by wireless sniffers. This mode is similar to the Promiscuous mode on Ethernet cards that sets the card to listen to the airwaves without associating it to a particular access point.

The following instructions are for the ORiNOCO card, which required the Monitor mode patch. Consult your documentation or the Internet for other cards.
a. Download the file or copy it from the book's CD-ROM.
b. To being the installation process, type:
```
make config
```
The configuration script asks you some basic questions about your system. The defaults are generally the correct setting.
c. Type the following commands as root:
```
./Build

./Install
```
d. With the ORiNOCO card, you also have to install a patch on top of this in order for it to work in Monitor mode. This may not be necessary with other cards. You can get the patch from airsnort.shmoo.com/orinocoinfo.html.

e. If you need to patch your driver, download the patch file, otherwise go to Step 5.
f. Untar it, and type the following commands:
```
patch –p0 < patchfile.diff
```
where you replace patchfile.diff with the name of the current patch file. It should write over any files that are not updated. If the -p0 switch doesn't work, try -p1.
Next, go into the wireless configuration file and edit the setup parameters. This file is found in /etc/pcmcia/config.opts.
- If you are going to be using this card with Kismet, leave these parameters blank.
- If you want to use it to access your local access point, enter the appropriate settings for your network in this file, such as SSID and so on.
You can now reboot your system with your wireless card in the slot.

When it comes up you should hear two beeps. This indicates that the network card was recognized and configured.

If you don't hear the beeps, refer back to your card's documentation and make sure you followed all the steps correctly.
Type ifconfig at the command prompt. You should see a wlan01 interface. If you don't see this interface, refer back to your card's documentation and make sure you followed all the steps correctly.
One you have the drivers loaded, make sure your wireless card is actually working. You should be able to get Internet access or ping a network machine on the wired LAN. If you can't, then you need to refer back to your card's installation instructions. The card must be functional before loading the Kismet software.
You also need to have a recent libpcap library available so the operating system can read packets directly from your card. Many of the tools described earlier in this book use this driver, but if you haven't loaded it yet, download it from the book's CD-ROM or www.tcpdump.org and install it.

You have now finished installing your network interface card and the drivers you need to run Kismet.

Installing Kismet

If you made it through all that unscathed, you are ready to actually load the program.

Download Kismet from the book's CD-ROM or the Web site.
Unpack the distribution.

Enter the following command with any appropriate configure statement(s) listed in Table 10.4 to compile Kismet:


./configure

Table 10.4. Kismet Configuration Switches
Switches
Descriptions
--disable-curses
Disables the curses user interface.
--disable-panel
Disables ncurses panel extensions.
--disable-gps
Disables GPS support.
--disable-netlink
Disables Linux NetLink socket capture (prism2/orinoco patched).
--disable-wireless
Disables Linux kernel wireless extensions.
--disable-pcap
Disables libpcap capture support.
--enable-syspcap
Uses system libpcap (not recommended).
--disable-setuid
Disables suid capabilities (not recommended).
--enable-wsp100
Enables WSP100 remote sensor capture device.
--enable-zaurus
Enables some extra stuff (like piezzo buzzer) for Zaurus PDA.
--enable-local-dumper
Forces the use of local dumper code even if Ethereal is present.
--with-ethereal=DIR
Supports Ethereal wiretap for logs.
--without-ethereal
Disables support for Ethereal wiretap
--enable-acpi
Enables Linux kernel ACPI support.

These are compile-time switches you can enter with your configure statement to enable or disable certain functions.

Once the configuration process completes, run the following commands as root to finish the compilation process and install the program:
```
make dep

make

make install
```

Once Kismet is installed, find the file kismet.conf, which should be in /usr/local/etc by default. This is where you set up your logging and interface preferences. Table 10.5 describes the parameters you can set.

Table 10.5. Kismet Logging and Interface Options
Parameters
Descriptions
Capture source
Defines what interfaces Kismet will listen on. Normally your main wireless interface (wlan0) should already be set up here. If you want to add additional interfaces, do it in the format: source=type,interface,name. For example, source=prism2,wlan0,Prism directs Kismet to listen on wlan0 for a prism2 type card. This shows up as Prism in your logs.
Fuzzy encryption
Shows any identified packets as unencrypted for those stations using undefined or proprietary encryption methods. Generally leave this off unless your card is reporting known encrypted networks as unencrypted.
Filtering packet logs
Limits what packets get logged. Use the noiselog option to drop any packets that seem to be broken or fragmented due to noise. In a crowded area with lots of interference or when using a card that does not have an external antenna, this can keep your log size down. The beaconlog option drops all but the first beacon packet from a particular access point. The phylog setting drops any physical layer packets that are sometimes picked up. You can use any combination of these settings.
Decrypt WEP keys
Decrypts intercepted data packets on the fly. You must first, however, have the key, which can sometimes be obtained using AirSnort (described later in this chapter). Each access point needs a separate statement in the format

bssid:key

where bssid is the MAC address of the access point and key is the key for that access point.
Using an external IDS
Sends packets to an external instruction detection system for further analysis. You specify a FIFO pipe in this statement and then direct your NIDS to read from the pipe name.

Next, edit the file kismet_ui.conf, also found in /user/local/etc. This sets certain interface settings. Table 10.6 lists the options.

Table 10.6. Kismet Interface Settings
Settings
Descriptions
Columns
Changes what columns appear in the Kismet interface and in what order. Change the value of columns or clientcolumns to what you want to see. A complete listing of the columns available is in the Kismet man pages.
Colors
Changes the colors of any of the elements of the display. Change the colorxxx setting to the color code you want. You will have to play with it a bit to get the colors right. (I found the defaults to be acceptable except for printing, and changed those to a more printer-friendly color.)

Save these two files.

Using Kismet Wireless

Start Kismet by running the executable file from the command line or from an X-Windows terminal that supports the Curses toolkit. The main interface displays (see Figure 10.8). Kismet immediately starts reporting any wireless networks in your area and information on them.

The interface is divided into three main sections. The Network List section on the left shows all the currently active wireless networks that Kismet can see and some basic information on them: the SSID of the network (if available), the type (access point versus node), whether or not it is encrypted using WEP, the channel it is broadcasting on, the number of packets intercepted so far, any flags on the data, and the amount of data going through the network. The display is color coded with active networks appearing in red and ones that are no longer active in black.

The Info box on the right shows overall statistics for this capture session, including the total number of networks sensed, the total number of packets, the number of packets that were encrypted, weak networks perceived, packets with a high noise level, packets that were discarded, and the average number of packets per second.

The Status box on the bottom contains a scrolling view of events as they happen. Messages pop up when new networks appear or other events happen.

Because Kismet is a command line tool, albeit with a GUI, it uses key commands to control its functions. Table 10.7 lists the key commands available from the main screen.

Table 10.7. Kismet Key Commands
Key Commands	Descriptions
`a`	Shows statistics about packet counts and channel allocation.
`c`	Opens a client pop-up window to display clients in the selected network.
`d`	Instructs the server to start extracting printable strings from the packet stream and displays them.
`e`	Opens a pop-up window on Kismet servers. This lets you simultaneously monitor two or more Kismet servers on different hosts (remember, it's a client-server architecture).
`f`	Follows the estimated center of a network and displays a compass.
`g`	Groups currently tagged networks.
`h`	Gets a listing of possible commands.
`i`	Displays detailed information about the current network or group.
`l`	Shows signal/power/noise levels if the card reports them.
`m`	Mutes sound and speech if they are enabled (or turns them on if they were previously silenced). You must have sound or speech enabled in your configuration to be able to use them.
`n`	Renames the selected network or group.
`p`	Displays packet types as they are received.
`r`	Displays a bar graph of the packet rate.
`s`	Sorts the network list differently.
`t`	Tags (or untags) the current network.
`u`	Ungroups the current network.
`w`	Displays all previous alerts and warnings.
`z`	Zooms the network display panel to full screen (or returns it to normal size if it is already zoomed).

As noted above, you can expand views of information on each network detected to show all the details on a particular access point by entering i at the command line. Figure 10.9 illustrates this output.

You can also expand the network box to full screen and see additional information on each network, such as the manufacturer of the equipment detected using the z command. This may make it easier to organize your access points into groups if you are trying to track a particular set of APs and want to be able to filter the others out. Do this with the g and u commands to group and ungroup, respectively.

The sound feature is handy—it beeps when you detect new networks. You can toggle that option off using the m command if you are going in and out of many network's reception areas. Otherwise you get a cacophony of beeps!

Kismet GPS Support

Kismet has the ability to record GPS data if you have a GPS receiver plugged into your machine. You need the GPS daemon software GPSD for Kismet to read it. You can get GPSD at http://russnelson.com/gpsd/. You must enable GPS support when compiling Kismet using the compile-time parameters in Table 10.4. Kismet then automatically picks up the coordinates of any networks sensed and logs them.

You can take this one step further and map these coordinates just like with the Windows program. Kismet comes with a built in program called GPSMAP that automatically plots the data collected onto maps in .gps format. The downside is you have to provide your own GPS-calibrated map. There is an open source mapping program for Linux called GPSDrive, which you can download from http://gpsdrive.kraftvoll.at/index.shtml.

Kismet IDS

You can also set up Kismet as a wireless IDS. Kismet will intercept incoming signals and detect wireless traffic that is known to be associated with war driving or other suspicious wireless activity. It detects about 10 different kinds of traffic, including NetStumbler polls and activity from Airjack and other wireless hacking tools. Currently this IDS capability is fairly limited, but expect it to expand in the future. And, since it's open source, you can always expand it yourself by writing your own alerts. You can also pipe your Kismet data through a traditional IDS such as Snort for more detailed analysis. The IDS feature is set in kismet.conf and is turned off by default. You can also set up Kismet to gather known cryptographically weak keys for a program such as AirSnort, the next tool in this chapter, which analyzes wireless packets and attempts to crack the WEP encryption.

The authors developed AirSnort as a practical application to demonstrate the weakness in the WEP, the wireless encryption protocol. A paper entitled "Weaknesses in the Key Scheduling Algorithm of RC4," written by the cryptographic experts Fluhrer, Martin, and Shamir, detailed a theoretical weakness in the WEP algorithm, describing how some of the Initialization Vectors (IVs) were weak. Packets encrypted with these weak IVs could be collected and eventually enough data would be present to extrapolate the shared secret key. This allowed the packets to be easily decrypted. Two tools were released shortly thereafter, AirSnort and WEPCrack, that employed the described weakness to recover WEP keys, effectively cracking WEP. They are both good tools, but AirSnort has some additional functionality as a wireless sniffer. AirSnort is now an open source project hosted on SourceForge.net and has been extended and improved considerably since its release. Given that there are no real alternatives under Windows for doing this, AirSnort and WEPCrack are currently the only viable alternatives for testing your WEP.

Uses for AirSnort

Why use AirSnort on your wireless network? Some might say there is no legitimate use for the program and its only purpose is as a hacker's tool. However, I believe that the only way to know what the exposure on your wireless network is for you to do what the hackers do to see if your encryption is crackable and the amount of time it takes to do it. AirSnort lets you do just that.

By attempting to crack your wireless encryption, you can see if it is crackable. If you are using standard WEP, then it is merely a matter of time. It is a mathematical certainty that it can be cracked at some point using this tool. The question is, how long does it take? If it's a very long time, you can reasonably assume you are pretty safe. If the traffic level on your wireless LAN is small, then it might take days or even weeks. This puts your network out of the realm of practicality of most casual hackers. However, if it's a busy network, then someone might be able to pick up enough packets to break it in a few hours or a day.

Knowing this will help you to better protect your network. It can justify putting in further protections, such as better physical controls or limiting the traffic on that network. It also might justify upgrading your wireless equipment. Cisco Aeronet gear uses a variation of WEP called LEAP to improve and fix the weakness with the original WEP protocol. A wireless network using that protocol should be uncrackable, at least with readily available tools. You may find that your traffic level doesn't make it practical to crack your encryption. Either way, you'll sleep better at night knowing.

Installing AirSnort

Getting the drivers and software working for AirSnort can be quite a chore. Its requirements closely match those of the Kismet program. Refer back to the "Installing Your Network Interface Card and Drivers" section and follow that procedure. Finally, when all the moons align and you get all these things in order, you are ready to install the program. This is the easy part.

Running AirSnort

AirSnort accept files from other wireless sniffers as along as they are saved in pcap format. Kismet, our Linux wireless tool of choice, will specifically pull out interesting packets for AirSnort ahead of time, saving this step.

You don't have to do all the data collection at once. AirSnort can save a session and let you open it later and add to it. This makes AirSnort a particularly dangerous tool to wireless networks, because someone doesn't have to spend a single uninterrupted session near your facility to collect enough packets to crack your network. They can split their collection activities into smaller, less noticeable time increments, assuming the target network doesn't change its keys often.

Once you have AirSnort installed, you can start it by typing airsnort at the command line. The interface is simplicity itself: it is a single screen that shows the interesting packets and the total number of encrypted and unencrypted packets. The top section shows you settings such as NIC card type and so forth. On the left, you can change some settings, such as the breadth— the number of guessing attempts AirSnort will make for each key byte—for either 40-bit or 128-bit decryption attempts. The default is 3 for 40-bit encryption and 2 for 128-bit encryption. If you don't have a lot of data or you have a lot of excess processing power, you can try increasing this slightly, but don't go much more than 4 or 5.

After that, it is time to just sit back and collect packets. Don't expect to be able to crack WEP keys in just a few moments. For AirSnort to work properly, it needs approximately 1,500 to 4,500 packets with weak keys. This amounts to between 100MB and 500MB of data. On a moderately busy network, it might take a day or more to collect this much data. On slower networks it could take much longer and on busier networks much less. Expect it to take at least a couple of hours but probably longer. Of course, all of this is based on a little luck too, so your results may vary from an hour to never. Generally, you want to spend about as much time collecting data as you think the average outsider might be able to spend undetected. And of course, AirSnort's resume session feature could make this time window much shorter since they could use multiple collection sessions.

When a successful crack of the WEP key has occurred, it appears in both plain text and the original hexadecimal on the far left of the display and the capture session ends. Happy WEP cracking!

What do you do if you find your WEP keys? Well, don't panic, because most casual hackers won't go to the trouble. However, you should think about taking steps to increase the security of your wireless network to make it harder for outsiders to collect this data. There are a number of steps you can take, ranging from replacing your equipment to reconfiguring and changing your AP position. You will have to decide based on the sensitivity of the data on your network which ones are appropriate.