PCMCIA and CF Wireless Cards

This is probably the most important choice when selecting the gear for your "rig" (a term used by many wardrivers for the complete kit of necessary equipment). The reason lies in the significant differences among the wireless client cards available, including the following:

• The chipset

• The output power level and the possibility of its adjustment

• The receiving sensitivity

• The presence and amount of external antenna connectors

• The support for 802.11i and improved WEP versions

Selecting or Assessing Your Wireless Client Card Chipset

Major 802.11 chipsets include Prism, Cisco Aironet, Hermes/Orinoco, Symbol, Atheros AR5x10, and, nowadays, ADMtek ADM80211 and Atheros AR5x11. Let's explore each in further detail.

Prism Chipset

Prism chipset, formerly from Intersil, Inc., is one of the oldest 802.11 transceiver chipsets, evolving from Prism I (original 802.11) to Prism II (802.11b), Prism III (802.11b), Prism Indigo (802.11a), Prism GT (802.11b/g), Prism Duette (802.11a/b), Prism Nitro (improved pure 802.11g networking), and Prism WorldRadio (802.11a, b, d, g, h, i and j standards support). It is a favorite chipset among hackers due to the complete openness of Intersil in the chipset specifications, operation, and structure. All Prism Evaluation Board documents, Reference Designs, Application Notes, tech briefs and a variety of general technical papers could be freely downloaded from Intersil's Web site. Wireless security software developers would probably be most interested in studying the Prism MAC controller, which communicates with the software drivers. The MAC controller firmware performs most of the basic 802.11 protocol handling and thus will determine whether the card can be used for the monitor mode sniffing, frame insertion, and manipulation or as an access point device. Figure 3-1 is a reference scheme of a very common Prism 2.5 device borrowed from Intersil's Web site.

Figure 3.1. Common Prism 2.5 device.

[View full size image]

It demonstrates the internals of a card or access point including power amplifier and detector, RF/IF converter and synthesizer, IQ modulator/demodulator synthesizer and, finally, the host computer interface made up by a baseband processor and MAC controller. It is important to note here that the MAC controller has a specific WEP engine for hardware-based WEP encryption processing, which spares the CPU cycles when WEP is enabled. This is important when we discuss 802.11i standard release implications in Chapters 10 and 11.

As a result of Intersil's specification openness, a variety of open source tools operating with Prism chipset cards came into existence, some of them essential for wireless security auditing. There are more Linux drivers for Prism chipset cards than for any other 802.11 chipset cards on the market. Apart from the commonly distributed and used Linux-wlan-ng modules and utilities, these drivers include the following:

• Jouni Malinen's HostAP drivers for deploying Linux-based access points (important for Layer 1 man-in-the-middle attack and DoS testing and wireless honeypot deployment).

• Abaddon's AirJack, which is essential for Layer 2 man-in-the-middle attacks as well as determining close networks' SSIDs, some Layer 2 DoS attacks, and overall 802.11 frames manipulation.

• Prism54 drivers for newer Prism GT, Duette, and Indigo chipsets that do support the monitor mode for use with wireless sniffers and can be configured to run a software-based access point in a manner similar to HostAP.

Prism cards had very early FreeBSD support (the legacy awi device) and were the first 802.11 client cards to provide the RFMON mode capability and antenna diversity natively and without patching (see the comments on wlan-ng drivers later in the chapter). BSD-Airtools require a Prism chipset card to perform RFMON frame sniffing and dumping with prism2dump and dwepdump and WEP cracking with dwepcrack. Running a BSD-host-based 802.11b access point also requires a Prism PCMCIA or PCI device.

The bottom line is that if you are serious about 802.11 penetration testing, you should get a decent Prism chipset card. If you plan to base your security audit effort around the BSD platform, you probably cannot do without it. Prism chipset PCMCIA and CF cards are known to be produced by Addtron, Asante, Asus, Belkin, Buffalo (CF cards only), Compaq, Demark, D-Link, Linksys, Netgate, Netgear, Proxim, Senao, SMC, Teletronics, US Robotics, Zcomax, and ZoomAir.

Cisco Aironet Chipset

The Aironet chipset is a Cisco, Inc., proprietary chipset, developed on the basis of Intersil's Prism. Common opinion is that the Aironet chipset is a Prism II "on steroids." Cisco added some useful features to their Aironet cards, including regulated power output and the ability to hop through all ISM band channels without running a software-based channel hopper. Cisco Aironet cards are perfect for wireless network detection due to their excellent receiving sensitivity and seamless traffic monitoring from several access points running on different channels. On the other hand, you would not be able to lock these cards on a single channel or set of channels in the monitor mode because in this mode they will continue to hop through the band on a firmware level.

Other useful features of the Cisco Aironet cards are the amber traffic detection light and well-supported antenna diversity (providing that you use the Air-LMC350 series card with two external antenna connectors). These cards are very well supported across all common platforms including Microsoft Windows and practically any UNIX-like operating system in existence. The ACU configuration utility supplied by Cisco for both Windows and Linux is very user-friendly and has capabilities of a decent wireless site surveying tool.

Unfortunately, because Cisco Aironet chipset specifications are proprietary and are different from the original Intersil Prism, HostAP drivers do not work with Cisco Aironet and neither does the AirJack. However, it is rumored that an undisclosed version of the AirJack driver for Cisco Aironet does exist. This limits the use of Cisco Aironet cards for man-in-the-middle attacks and DoS resilience testing. Nevertheless, these cards are our PCMCIA cards of choice for site surveying, rogue access points detection, and multiple-channel traffic analysis.

Hermes Chipset

The third very common 802.11 client card chipset is the Hermes chipset developed by Lucent. These cards have been on the market for years and are well-developed products boasting good receiving sensitivity and user-friendliness. Even though they do not provide firmware hopping on all ISM band channels like Cisco Aironet, they tend to identify the transmitting access point and assume the correct network ESSID and frequency automatically as soon as the wireless interface is up. Most Hermes chipset cards boast an external antenna connector, but they rarely come in pairs. These connectors seem to be superior to the MMCX connectors on Prism and Cisco Aironet cards; they are tighter and less prone to damage. A pigtail slipping out of the wireless card is highly annoying; we have never seen it with Hermes chipset card connectors and pigtails. Although Hermes chipset specifications are closed source and proprietary, Lucent did publish a piece of source code for controlling the basic functions of their WaveLAN/ORiNOCO cards. It is a pared-down version of the HCF library used in their Windows driver and their binary-only Linux driver. The code was not easy to read and integrated poorly into the Linux kernel, but proved to be useful when the old wvlan_cs driver was written. The currently used orinoco_cs driver is an improvement over the original wvlan_cs, but it still uses its higher level functions, whereas the low-level function support partially originates from the BSD wi driver for both Prism and Hermes chipset cards. A patch released by The Shmoo Group (http://airsnort.shmoo.com/orinocoinfo.html) enables you to put Hermes chipset cards into a monitoring mode for proper second layer 802.11 frames analysis. Although HostAP drivers do not work with the Hermes chipset cards, there is currently a HermesAP project that is still in an early development stage, but looks very promising. You can find more information about it at http://www.hunz.org/hermesap.html.

The bottom line is that with a little bit of driver patching, Hermes chipset cards are fine for full 802.11 penetration testing and might even have an advantage over their counterparts (except Cisco Aironet) when it comes to ease of use and configuration. Hermes chipset PCMCIA and CF cards include Buffalo PCMCIA, Dell Truemobile, IBM High Rate Wireless LAN card, Intel AnyPoint 802.11b, Lucent/Orinoco Silver and Gold, Lucent WaveACCESS, and Sony PCWA-C100.

Symbol Chipset

The Symbol Spectrum24t chipset is specific for Symbol-based cards including Nortel Emobility 4121, 3Com AirConnect, Intel PRO/Wireless, and Symbol Wireless Networker Cards. Ericsson WLAN cards are also Symbol-based, but have a separate Linux driver (eriwlan). Symbol cards are Prism II cards with their own MAC layer controller. Surprisingly, under Linux they are supported by the orinoco driver (read the orinoco.c source) and are similar to Hermes chipset cards in terms of configuration and usefulness in the penetration testing of WLANs. Symbol CF cards have an orinoco and spectrum24t-based driver that is different, as these cards don't have built-in firmware. At http://www.red-bean.com/~proski/symbol/readme, you can find more information about "no-firmware" Symbol cards and download a Spectrum24 Linux driver. However, for Layer 2 traffic analysis in the monitor mode, the morinoco patch (http://www.cs.umd.edu/~moustafa/morinoco/morinoco.html) has to be applied. Jesus Molina provides a package of the Spectrum24 CF driver already patched with the morinoco patch with some additional old kernel versions for backward compatibility. A good example of a common Symbol chipset card is a low-power Socket CF card from Socketcom. Although this card does save your PDA battery power, it has a lower transmitting and receiving range compared to more power-hungry cards, but always remember that everything comes with a price. The precompiled packages of Spectrum24 Linux driver (kernel 2.4.18) for this card, patched for monitor mode frame capture and supplemented by useful comments on configuring the card, are available at http://www.handhelds.org/~nils/socket-cf-wlan.html.

Atheros Chipset

The Atheros AR5000 chipset is the most commonly encountered chipset in 802.11a devices. This chipset combines the world's first 5 GHz "radio-on-a-chip" (RoC) and a host computer interface (baseband processor + MAC controller). It supports the Turbo Mode (72 Mbps theoretical speed) and hardware-based WEP encryption at 152 bits or less. Because it relies on a standard-process CMOS, both power consumption and the device costs are low, and the operational reliability is enhanced. AR5001x is a further evolution of AR5000 and is a common chipset in modern combo 802.11a/b/g cards.

Because we are interested in "hackable" drivers for 802.11a cards, which would let us monitor and inject traffic on a second layer, the most suited are Madwifi and Vantronix vt_ar5k drivers for Linux available from http://team.vantronix.net/ar5k/ and the Madwifi project at SourceForge. The list of vt_ar5k supported 802.11a cards includes Actiontec 802CA, Netgear HA501, Netgear HA311, Proxim Harmony, SMC 2735W, Sony PCWA-C500, IODATA WN-A54/PCM, and ICom SL-50. Unfortunately, the combo card support is not fully implemented yet and in our experience with vt_ar5k and Netgear 32-bit CardBus WAG511 and Orinoco Gold Combo cards the lead goes on and the card is detected, but the vt_ark5k module does not load. Nevertheless the supported card's vt_ar5k driver provides raw sniffing mode support and aims to implement frame injection in the future; stay tuned. Hopefully, by the time you hold this book in your hands, vt_ar5k combo card support is fully implemented.

Madwifi Linux drivers also provide support for 802.11a/b/g universal NIC cards based on the Atheros chipset. At the moment, these drivers are probably what you need to use for your 802.11a/b/g combo card under Linux. The official project is located at Sourceforge (http://sourceforge.net/projects/madwifi/). Additional information about madwifi drivers can be found at http://www.mattfoster.clara.co.uk/madwifi-faq.htm and Madwifi Wiki page http://madwifiwiki.thewebhost.de/wiki/. Before installing the modules, we recommend visiting these sites to get the latest details on the project and familiarize yourself with the FAQs.

Even though these drivers are in an early development state, they have been proven to work on many Atheros-based combo wireless cards. We have tested Proxim 8480-x and Netgear WAG511 and found them to work reasonably well at 18 to 24 mbits per second. Some people have reported performance, WEP, and power-management-related issues with Proxim 848x-based cards, so check the latest CVS source and patches section of the project page. Madwifi drivers are RFMON-friendly and are supported in the current versions of Kismet (see the kismet.conf file for more details).

ADM8211 Chipset

Finally, there is an ADM8211 chipset originating from ADMtek, Inc. (http://www.admtek.com.tw/products/ADM8211.htm). This chipset is becoming common in combo 802.11a/b/g cards. At the same time, very little is released in terms of ADM8211 specifications. It appears that the driver for the ADM8211 takes responsibility for more 802.11 MAC functions than the older drivers for Lucent/Prism/Aironet cards; BSD-wise the driver will be more similar to awi than wi or an.

We have initiated a discussion in the open source community about the development of multifunctional Linux and BSD drivers for ADM8211, supporting RFMON mode and hopefully, access point functionality. There are clear signs of enthusiasm and we hope that in the near future such drivers will exist. In the meantime, ADMtek has released precompiled drivers for kernel 2.4.18-3 oriented toward Red Hat 7.3 distribution. The source code for these drivers was posted at http://www.seattlewireless.net/index.cgi/DlinkCardComments. We expect that the development of open source drivers and configuration utilities for both AR5001x and ADM8211 chipset cards will grow quickly and porting and development of major wireless security applications will follow. We also hope that AR5001x and ADM8211 cards with external antenna connectors will eventually come out and these connectors will be compatible with the existing pigtail types. For now, the best idea is to stick to Prism, Aironet, or Hermes chipset cards for 802.11b/g and AR5000 chipset cards for 802.11a security auditing. Backward compatibility of 802.11g helps everyone, penetration testers and crackers alike.

Other Chipsets That Are Common in Later Models of 802.11-Compatible Devices

As more and more hardware vendors join the wireless chip manufacturing race, the diversification of 802.11 chipsets available on the market continues. Examples of newer wireless chipsets include Texas Instruments's ACX100, Atmel AT76C503A, Broadcom AirForce, InProcomm IPN2220, Realtek RTL8180L, and Intel PRO/Wireless (Centrino). From the wireless security auditor and hacker viewpoint, it is important to have open specifications and open source drivers for these chipsets, allowing the monitor mode, software access point functionality, and ability to build and mangle wireless frames. Whereas some of the chipsets listed satisfy these requirements and have decent Linux and even BSD support (e.g., ACX100), others aren't that "hacker-friendly" and might have to be used under Linux via the Linuxant DriverLoader (http://www.linuxant.com/driverloader). DriverLoader is a compatibility wrapper that allows standard Windows drivers provided by hardware manufacturers to be used as is on Linux x86 systems. NdisWrapper is another project similar to the DriverLoader that supports a few chipsets that do not have open source drivers available at the moment of writing, namely Broadcom, Intel PRO/ Wireless (Centrino), and InProcomm IPN2120.

Although the standard end-user connectivity and even 802.11i security features are provided by using the vendor drivers through the DriverLoader or NdisWrapper, do not expect to run your favorite UNIX wireless network discovery and penetration tools under the Windows NDIS drivers launched using the wrapper applications. Thus, if you are not a developer interested in creating, improving, or modifying drivers for these chipsets and porting existing wireless security auditing tools to be used with such drivers, steer clear of novel or little-known wireless chipset devices unless you are absolutely sure that working open source drivers for that particular chipset exist. Check out the updates at the Linux Wireless Drivers in the Construction and Defense Tools section of our Web site (http://www.wi-foo.com) to see which open source drivers are currently available for download.

Selecting or Assessing Your Wireless Client Card RF Characteristics

After determining the chipset, the next things to look for in an 802.11 client card are its power output, the possibility of power output regulation, and receiving sensitivity.

The RF Basics: Power Calculations The transmitting power output is estimated at two different points of a wireless system. The first point is called an intentional radiator (IR). IR includes the radio transmitter and all cabling and connectors but excludes the antenna used. The second point is the power actually irradiated from the antenna, designated as the equivalent isotropically radiated power (EIRP). Both IR and EIRP outputs are legally regulated by the Federal Communications Commission (FCC) in the United States (see Part 47 CFR, Chapter 1, Section 15.247) or European Telecommunications Standards Institute (ETSI) in the European Union. To measure both the power of the emitted energy and the receiving sensitivity of your wireless device, watts (more often milliwatts [mW]) or decibels are used. Power gain caused by antennas and amplifiers as well as power loss caused by distance, obstacles, electrical resistance of cables, connectors, lightning protectors, splitters, and attenuators is estimated in decibels or, to be more precise, dBm. The m in dBm signifies the reference to 1 mW: 1 mW = 0 dBm. Antenna power gain is estimated in dBi (i stands for isotropic), which is used in the same way with the dBm in RF power calculations. Decibels have a logarithmic relationship with watts: PdBm = 10log pmW. In simple terms, every 3 dB change would double or halve the power and every 10 dB difference would increase or decrease the power by an order of magnitude. The receiving sensitivity of your wireless devices will be affected in the same way. To calculate the EIRP value of your wireless kit, simply sum all dBm values of devices and connectors involved. For example, a standard wardrivers' rig consisting of a 20 dBm (100 mW) PCMCIA client card, 2 dBm loss long pigtail connector, and 5 dBi gain magnetic mount omnidirectional antenna would have 20 – 2 + 5 = 23 dBi or 200 mW power output. Note that each 6 dBi increase in EIRP doubles the transmission or reception range (so-called 6 dB Rule). A Milliwatts-to-dBm conversion table is given in Appendix A for your power estimation convenience. Also, there are many RF power calculators available, including online tools such as the following: http://www.zytrax.com/tech/wireless/calc.htm http://www.ecommwireless.com/calculations.html http://www.csgnetwork.com/communicateconverters.html http://www.vwlowen.demon.co.uk/java/games.htm http://www.satcomresources.com/index.cfm?do=tools&action=eirp However, if you deal with wireless networking on a regular basis, it is vital to familiarize yourself with RF power calculations and be able to perform basic calculations of mW/dBm conversions and EIRP output in field conditions without any tools or tables available.

When looking at both power output and the receiving sensitivity of wireless equipment through the cracker's eyes it is quite simply "the more, the better." Higher power output means the chance of connecting to the target network from a longer distance, better capability to launch jamming DoS attacks, and increased chances of Layer 1 man-in-the-middle attack success. Better receiving sensitivity means more wireless networks detected when scouting, higher connection speed when associating to the WLAN, and more wireless traffic dumped and analyzed. If more WEP-encrypted traffic can be captured, more interesting IV frames should be sniffed out and the process of cracking WEP (see Chapter 8) should take less time. To our surprise, no one has ever investigated this matter by using a variety of client cards with very different receiving sensitivity values (dBm). Anyone who wants us to check this area is more than welcome to send us appropriate client hardware for testing by contacting us at wifoo@arhont.com.

As for the wireless equipment selection for your networking and security auditing practice, we have included modified tables of 802.11 equipment characteristics originally published at the Seattlewireless and Personaltelco Web sites (Appendix B). The separate table devoted to Prism chipset cards is included due to the significance of these cards for wireless penetration testing and open source software development. Check the wireless community Web sites mentioned for the most recent updates and use these tables when selecting the hardware to fit your specific requirements. Client cards that are excellent for building a 802.11 security auditing kit might not be the best cards for end-user wireless networking and the opposite might be true.

The issues we have not covered yet are the regulated power output and the presence of MMCX external antenna connectors. Out of the cards that we have tried, Cisco Aironet, Senao Long Range, and Zcomax XI-325HP had regulated IR output. Being able to adjust the IR is essential in both attack (stealth, preserving battery power) and defense (limiting the network perimeter, spread, and detectability) on WLANs: We return to this topic many times as the appropriate area is reviewed. The importance of external antenna connectors can never be underestimated, even though you might want to have an additional client card with a built-in antenna for indoor security testing. There are many sites that describe how to weld a pigtail for an external antenna onto the built-in antenna connector; such is the (time and effort) price of not looking for a card with MMCX connector(s) in the first place. Finally, although the support for larger WEP key sizes and 802.1x might appear to be more relevant for the Defense chapters, it is useful to have it on a client card that is used for penetration testing. It can come in handy when connecting to the proprietary larger WEP key size network after the key was broken or for brute forcing or guessing 802.1x access.

To summarize, proper selection of 802.11 client hardware and firmware is the first essential step in a successful wireless security audit. However in the majority of cases you shouldn't worry if you did not pick your PCMCIA/CF specifically for that. With some minor patching and reconfiguration, any client card should work fine. An exception is some of the rare chipset newest combo a/b/g 32-bit cardbus cards, but the development of flexible open source drivers for these is on the way and, hopefully, you won't have to wait for long until they are out and supported by 802.11 security auditing tools. Pay attention to the card receiving sensitivity (the difference between -80 and -90 dBm is a factor of 10; think what kind of impact it will have on the distance of network discovery and amount of data dumped). A cracker with a highly sensitive and powerful card linked to a high-gain antenna (mind the connectors!) might be able to attack from a position in which you could never expect him or her to be. Think about it when performing your WLAN site survey as the first stage of a proper wireless security audit. Do not assume that the attackers will try to get as close as they can and won't have equipment allowing them to attack from long range. After all, more sensitive and powerful cards are not obviously more expensive, cheap high-quality antennas are abundant, and prices on amplifiers are slowly falling. The cost of assembling a very decent attacker's kit is not higher than the cost of deploying a casual home WLAN.