1. Wireless Security, Wardriving, and Detecting Rogue Access Points Using Kismet Wireless Scanner By: Lance Howell

2. Wireless Security WEP (Wired Equivalent Privacy) WPA (Wi-Fi Protected Access) WPA2 (Wi-Fi Protected Access version 2)

3. Weaknesses in WEP Older Equipment and devices Supports no keys or a shared key management system. You have to manually change your keys The Initialization Vector (IV) is too short and sent in clear text IVs are static No cryptographic integrity protection is implemented

4. Weakness in WPA Using short Pre-shared Keys (PSK) Dictionary Attacks

5. Reconnaissance First Popular Software NetStumbler Windows Mac No Linux Based Version Kismet Popular for professionals Linux version Windows called Kiswin v 0.1 Last Update 2005

6. Reconnaissance continued Use the software to listen to traffic Access Points (AP) Broadcast SSID Encryption Status Rather it is Broadcasting or not AP Information GPS Information Map Locations

7. Sniffing Passive and Undetectable to Intrusion Detection Systems (IDS) Attackers can Identify Additional Resources that can be Compromised Authentication Types Use of Virtual Private Networks (VPN), Secure Sockets Layer (SSL), and Secure Shell (SSH) helps protect against wireless interception

8. Spoofing and Unauthorized Access Due to TCP/IP Design, there is little that can be done to prevent Media Access Control/IP (MAC/IP) Address Spoofing Static Definition of MAC Address Tables can this attack be prevented Staff must be diligent about logging and monitoring those logs to try to address spoofing attacks so they can be identified.

9. Kismet and Wardriving Info. Gathering, Analysis And Research

10. Introductions Console-based wireless analysis tool Passive; captures traffic from wireless cards in monitor mode Observes activity from all networks within range Wardriving tool of choice Wardriving is legal Included in Backtrack 4 ready to run and use

11. Versions Stable Developmental Newcore Purpose Recon Enumeration

12. Objectives of Kismet Locate and Identify AP(s) BSSID, ESSID, Channel and Encryption GPS data And more… Locate and Identify Client(s) MAC Address Manufacturers Spectrum Analysis Drones/Open-Source WIPS

13. Data Obtained Text (txt) Comma Delimited File (CSV) XML GPS Pcap NetXML

14. LOG Files

15. Netxml Logging File Can be imported into Excel for post-processing analysis Rename to “.xml”, select “read-only workbook” when opening Requires Internet access to download Kismet DTD file Allows you to graph results, add details for additional analysis

16. Reporting on AP Uptime “=U267/(1000000*(60*60*24))”

17. Startup Kismet will prompt to start the Kismet Server at startup Once the Kismet server has started, you will be prompted for the first packet source

18. Kismet Sources Specify the available wireless interface as a packet source “wlan0, “wlan1”, etc. Kismet will identify the needed information, place the interface in passive capture mode Add as many sources as you want from Kismet Add Source Can also specify libpcap wireless packet capture files as sources

19. Kismet Newcore Screenshot

20. Plugins Plugin architecture to extend functionality Distributed with Kismet: Aircrack-PTW, Spectools Third-Party: DECT wireless sniffing Kismet Plugins Status of plugins, version information Enable or disable UI plugins See list of Kismet Server plugins

21. Extending Kismet Device Manufacturer Name Kismet relies on Wireshark’s “manuf” file to identify manufacturers File can be updated with make-manuf script (not distributed with BT4) # wgethttp://anonsvn.wireshark.org/wireshark/trunk/wka.tmpl # wgethttp://anonsvn.wireshark.org/wireshark/trunk/manuf.tmpl # wgethttp://anonsvn.wireshark.org/wireshark/trunk/make-manuf # perl make-manuf # mvmanuf /usr/share/wireshark

22. Graphical Representation Gpsmap (old) Pykismet Kismet-earth Kisgearth

23. GISKisment Building Visual Representations of Kismet data Correlate information in database Graphically represent information Filter out non-useful information

24. GISKismet- Filters Input Filters AP configuration data Query filters on any information AP configuration Client information GPS coordinate(s) Filter Input Insert all AP(s) on channel 6 named Linksys Filter Output Output all AP(s) without encryption

25. Tips on Protecting the Network Use an External Authentication Source RADIUS SecurID Protect MAC Spoofing: Use a Secure Connection for all Host Services Accessed by the Network SSH SSL Use a Dynamic Firewall

26. System Administrators Poor performance on the wireless network complaint Things to observe: What AP are the clients connecting to? Are all AP’s properly configured? Lots of retries indicating poor connections or noise Lots of missed beacons indicating noise or faulty APs What channels are being utilized?

27. Retries are normal in small numbers; more than sustained 10% is a problem

28. Signal and Noise/Channel Packet Rate (Real Time) Data Frames (Cumulative) Networks Count (Yellow is historic, green is currently active) Detail View (Scroll with arrow keys)

29. Auditors Are the networks configured per specification? SSID cloaking enabled/disabled? Appropriate encryption and authentication settings? Are there unencrypted networks (when there shouldn’t be)? Kismet walkthrough while channel hopping, post-processing analysis.

30. Security Analysts Network discovery & analysis Are there open Aps or weak crypto? What are the clients on the network? What kind of EAP types are in use? Post-processing data evaluation Third-Party tools with Kismet pcap files, XML records, nettxt summaries