Basic Wireless Auditing with Linux and Open Source Tools

 

 

By Todd Hughes, November 22, 2009

 

            On occasion I am called upon to perform some basic auditing of a client’s wireless network. The standard audit consists of war-walking/driving around the client’s premises to collect data on any available wireless networks and then hauling this data back to my office for a detailed analysis.

            Being a FOSS kinda guy, I utilize several open source tools and a Linux operating system. My OS preference is any Debian based distro; currently I am running Mepis 8 on my laptop. The latest BackTrack distro is an excellent choice too, as it has all the necessary tools already installed and mostly configured. While I do use BT a lot (I’ve got it installed on a bootable USB stick with a persistent partition to save changes to), I wanted to install some basic tools on my Mepis laptop so that I wouldn’t have to fire up BT every time I needed to do a quick audit.

            In order to do basic wireless testing you’re going to want a few wireless pen-testing tools installed. The best one I’ve found for discovery and data gathering is Kismet. Kismet sniffs 802.11a, b, and g traffic, identifies named wireless networks, exposes hidden networks, and captures all the packets into a dump file. It also works in conjunction with GPS to record location coordinates of any networks discovered. I need to point out that you will require the latest version of Kismet, the older versions save data in a different format that won’t work with some of the tools referenced in this article. Debian based distros that use the stable repositories (like Mepis 8) most likely will grab the older version if you do an apt-get, Ubuntu I believe will get the latest version. Best bet is just to grab the latest source code (via SVN) and build from scratch, it’s very easy to do. If you’re familiar with the older Kismet, you are going to love the newest version.

            You will also need a decent rfmon (raw monitoring) capable wireless card. It’s also nice to have a card that is capable of doing packet injection for those jobs that require you to actually attack the client network (but that is out of scope for both the standard wireless assessment and this article). I use either a Cisco Aironet card (AIR-CB21AG-A-K9) or a Ubiquiti SRC300 with an external antenna. Both of these are PCMCIA cards with the Atheros chipset, perfect for our whitehat wireless exploits. Do a bit of Googling to determine if your card supports the necessary modes.

            Next up on our requirements list is some type of GPS antenna/receiver. There are many different flavors out there, I use the Pharos GPS500 III with the USB adapter. In addition to the GPS hardware you will need some software to make it work. I recommend “gpsd” and “python-gps”, both packages available via the standard apt repositories. (As a side note, there is a lot of mapping software available to turn your laptop into a GPS device ala TomTom, Garmin, etc. Take a look at Viking, GPSDrive, Roadnav, or Navit.)

            Some other tools I use are a python script “pykismetkmlv0.42.py” available at Google Code (code.google.com) which converts the Kismet data files into a format that can be imported into Google Earth, “macchanger” (apt-get macchanger) which allows me to spoof the mac address of my wireless card (always a good idea to disguise yourself), and “thcrut”, “fing”, “nmap” or some other tool that will allow you to gather mac addresses on the client’s wired network. My favorite for this is “arp-scan” (it’s in the standard Debian repositories).

             At this point I will not be spoon feeding you a step-by-step “how-to for dummies” but rather assume that if you are doing this type of testing/auditing that you know how to handle yourself around Linux and the command line. That said, here’s my basic framework for a simple wireless audit:

             Configure Kismet to work with your wireless card and GPS receiver and make sure it will dump it’s data files somewhere that you can find them (the default /tmp/datafiles is not a good idea). Start up gpsd, verify that it’s getting a signal lock, spoof the mac address of your wireless interface, put the interface in monitor mode, start up Kismet, and then spend some time walking/driving around the target site. Better yet, write a little script that will do all of the above (below is mine, feel free to edit for your needs):

 #!/bin/bash

wlanconfig ath0 destroy

wlanconfig ath0 create wlandev wifi0 wlanmode monitor

macchanger -m 00:DE:AD:BE:EF:00 ath0

ifconfig ath0 up

gpsd -n -D 2 /dev/ttyUSB0

/usr/local/bin/kismet

             After you’ve collected a good amount of data, shut down kismet, make sure you’ve got data, and then head to the wired network to grab a list of mac addresses. I run arp-scan against the internal network and save the data to a file somewhere. Remember, arp requires that you be on the same network segment that you are arp-scanning, so if there are several subnets you will need to physically plug into each one to grab the macs.

 arp-scan -I ethn0 192.168.11.0/24 > /data/11 gets me:

root@mepis:/home/thughes# cat /data/11

“Interface: eth0, datalink type: EN10MB (Ethernet)

Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)

192.168.11.1    00:12:17:02:97:fe       Cisco-Linksys, LLC

1 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.6: 256 hosts scanned in 1.385 seconds (184.84 hosts/sec).  1 responded”

            I suppose you may be wondering why I bother with the arp scan stuff? Comparing a list of mac addresses gathered on the wired network against the mac addresses of all the wireless access points and clients can sometimes aid in determining if there are any “rouge” access points on the network.

            Now that you have all the data, you need to analyze it and present a report to the client. I use wireshark to dig through the pcap dump and look for any sensitive info (passwords, usernames, etc.). Using the python script mentioned earlier, a .kml file can be created and imported into Google Earth to create some nice images to include in your report (like this):

Wireless Networks

            That’s about all there is to your basic wireless audit/assessment. Your report should probably include things like a list of all wireless networks found and whether they could be associated with the client’s network, signal strengths, what type (if any) encryption each network uses, a list of all clients discovered and which networks they were associated with, whether any sensitive data associated with the client’s network was captured, a map or diagram of the wireless networks discovered, and anything else you might feel relevant.

            As always, if you have any questions, comments, complaints, or would like to contribute to my beer fund, feel free to contact me at thughes@fwpm.com

Copyright 2009 Todd Hughes

Commercial software – worth the price?

Yesterday I came across an old topic in The Force Field forums about an incident in which a particular software vendor released an upgrade that caused an issue for a reseller. I responded to the post sympathetic towards the reseller and somewhat critical of the software industry in general.

I wasn’t targeting the specific application, in fact soon after this story broke they rectified the issue and as far as I know all has been well since.

I was merely using the incident as an example of how the software industry as a whole has
overcharged and underdelivered since the early days and how we as consumers and users have
been conditioned to just accept it as The Way Things Should Be.

I believe this conditioning began back in the early 80’s when the personal computer existed in the
form of the Atari, Tandy, Commodore, Apple and IBM PCs. Software was often home-grown by startup software companies and sold on cassette tapes and 5 1/4 inch floppy disks in cheap packaging and poorly written instruction sheets. Applications, utilities and games were oftenwritten mostly in BASIC with ASCII or low res graphics, barely ran without crashing and were sold for a premium simply because most users didn’t have the time or patience to write the programs themselves.

I remember I purchased an accounting program for my Commodore PET computer once on a
cassette tape that cost about $20. The program was so full of bugs it was basically useless. In
those days the software was not always compiled in machine language and you could often break the program from running and go through the code to fix it yourself, which is what some did.

Of course, if it didn’t work, you would return it. Because it could be easily copied, this quickly
became a nightmare for software resellers. However, instead of improving the quality of the product
before it went on sale, software vendors simply put a stop to accepting returns.

There was some quality stuff out there, but it was overshadowed by a plethora of junk. In time,
users began to get a clue and started writing their own programs which they freely distributed on
bulletin board systems (before Al Gore allegedly helped invent the Internet) and in user groups. There was also the free and illegal distribution of commercial software, some of which users felt was usable but not worth buying for one reason or another. This divided software into four basic types, freeware, shareware, commercial software and warez (pirated commercial software).

Some of the free user-created programs were quite good; so good, in fact, it put some of their
commercial counterparts to shame. That didn’t deter the commercial software companies.

The commercial vendors already had control over the terms of sale and use in the commercial market. To curb the piracy they began to require licensing agreements and further raised the price of the software – but not necessarily the quality.

Thirty years later nothing has changed. The software industry still takes us to the cleaners. Why?
Because they can.

A whole generation of users were born and raised on crappy software, crappy service, crappy
support on crappy terms at crappy prices. It’s all they experienced. It’s all they know. To these
users it is The Way Things Are because it is The Way Things Are Supposed To Be. But it isn’t. Yet
it is, because they let it be.

Don’t get me wrong. There is commercial software that is worth the price – every penny. Some of it
is quite excellent. There is also a lot of it sitting on my shelf that I paid a lot more for and was not
worth half. Yet the software vendor wants to to fix it with an upgrade for a fee. That is simply
unacceptable.

The software industry is the only industry I can think of that can get away with selling something
that can have serious flaws, can and often will charge you more money for new and improved
versions to fix those flaws (while sometimes introducing new flaws), maintains complete control over the product after you purchase it, tells you how you can and can’t use it, locks you and whatever
you create into it so that you must use their product to access what you create with it and own, does not warranty the product, sells you something intangible that you do not actually own, forces you to agree to and sign a one sided legal document in their favor AFTER you paid for it but before you can use it and overcharges for the entire experience with no refunds.

In any other industry this would be called a scam. In the commercial software industry it’s just
accepted business practice.

The worst part of it all is, as consumers, we expect it and because we expect it, we let them do it,
because it meets our expectations- and we pay the price.

Geeks On Site is Making Geeks for Life by Adding more Benefits to VIP Program

Geeks On Site is adding additional features to their “Geeks for Life” program. “Geeks for Life” is a VIP plan Geeks On Site customers can join in order to receive special offers and coupons on myriad services for repair and maintenance.

Miami, FL (PRWEB) November 14, 2009 — Geeks On Site now sends their “Geeks for Life” members monthly postcards and emails with unique deals available exclusively for them. In addition, Geeks On Site has a special toll free number members can call for assistance on their account. These particular customers enjoy special treatment in appreciation of their loyalty to Geeks On Site.    

News Image

 

“Geeks On Site is looking for so much more than just one on-site visit or remote call- we believe in on-going customer care,” explains George Otte, president of Geeks On Site. Geeks On Site trains their customer service representatives and sales staff to always keep customer satisfaction as one of their main goals.

The “Geeks for Life” Program, which the Geeks On Site Customer Loyalty Department oversees, was created to reward repeat customers. This program offers a monthly computer tune up and unlimited assistance all at no additional cost to the Geeks On Site customers. Members can call in as many times as they wish, and request technical support, or to schedule preventative maintenance. Geeks On Site customers also receive expedited dispatch for onsite support. And Geeks On Site technicians not only repair and maintain PCs, Macs, and laptops, but peripherals such as printers, Blackberries and webcams. Finally, Geeks On Site’s “Geeks for Life” members receive 10% off any onsite service needed.

Geeks On Site has customers that have been with the company for almost eight years, which was when the company came into being. Geeks On Site says their customer base is growing at an incredibly rapid rate; therefore, the company is seeking new ways to stay connected with their customers. Geeks On Site is striving to give individualized attention to each and every client. The toll free number and the monthly offers are additions to make VIP customers feel appreciated; and to eventually have every customer join “Geeks for Life.”

National Electronics Service Dealers Association (NESDA)

The National Electronics Service Dealers Association is an organization for electronic repair professionals, primarily TV repair technicians and service companies, although some members are also computer techs.

Benefits include access to training materials, service literature and schematics, an e-mail self-help program called NESBANET, membership to a discount program called The Buying Group,  your own listing at tvrepairpros.com, a tips program called TECHMATE, a spare parts database, discount parts program, credit card processor program, access to the NESDA Industry Relations Committee, ProService Magazine, listing in the Annual Directory and Yearbook, an insurance program, annual convention,  technician, management and service center certification programs and political representation.

The association has been in existence for over 50 years. First time membership is $240/yr.

Contact:

NESBA
3608 Pershing Avenue
Fort Worth, TX 76107-4527
Phone: 817-921-9061
FAX: 817-921-3741

Membership benefits:
http://www.nesda.com/servicers/benefits.html

FREE 30-day trial membership:
http://www.nesda.com/servicers/trial.html

iTenol

iTenol is an Internet based national service company based in Milpitas California. The company offers break-fix work, software and hardware support and Managed Services. Little information about the company is available from the web site and the only apparent means of contacting them is either via e-mail, forms on the site and a "Click-To-Call" feature on the home page which promises "Your phone will ring within sixty seconds" after entering a contact number.

The Force Field attempted contact iTenol using this method several times and has yet to receive a call.

NOTE:  At this time there is no other valid contact information available other than the web site. A contact phone number for the company listed in Manta.com was disconnected. FF members reported receiving recruitment e-mails purportedly from iTenol. Use discretion when filling out such forms on line and use caution when providing information. Use at your own risk.

Contact:

Jay Prakash, CEO

Service Provider Registration:
http://itenol.com/service-provider-registration/

IT Pros Seeking Security Certifications, CompTIA Survey Reveals

Interest also high in ethical hacking and forensics certifications

Oakbrook Terrace, Ill. (Vocus/PRWEB ) November 5, 2009 — Information technology (IT) professionals are placing their bets on security-themed certifications as they plot their next career moves, a new study from CompTIA, the leading trade association for the IT industry, reveals.

The CompTIA survey of more than 1,500 IT workers found that 37 percent intend to pursue a security certification over the next five years. Another 18 percent of IT workers said they will seek ethical hacking certifications during the same time period, while 13 percent identified forensics as their next certification target. The results are included in the CompTIA study IT Training and Certification: Insights and Opportunities.

“Given the growing reach of security, with threats becoming more pervasive and dangerous and with no business or industry immune to those threats, it makes sense that many IT professionals view this as a must-have for career advancement,” said Terry Erdle, senior vice president, skills certifications, CompTIA.

Other technology areas where survey respondents said they will seek new certifications over the next five years include green IT, healthcare IT, mobile and software-as-a-service.

Economic advancement and personal growth are key drivers for seeking IT certifications, the CompTIA study also reveals. Eighty-eight percent of certification holders indicated they pursue a certification to enhance their résumé. An identical 88 percent said personal growth is a major or minor reason in their decision to pursue a certification.

IT workers are willing to invest the time and resources necessary to advance their career by adding new certifications to their credentials. On average, candidates for an IT certification spend 44.5 hours studying and preparing to sit for an exam; and approximately one in three individuals spend 60 or more hours preparing. Fifty percent of IT certification holders pay for the exams themselves, while 38 percent rely on an employer to cover the exam fee.

“This confirms that many professionals are truly committed to the IT field and take pride in developing their skills and showcasing their expertise,” Erdle said.

The web-based survey was completed by 1,537 IT professionals during the period from July 13 through July 31, 2009. Survey participants were primarily from the United States, Canada and the United Kingdom.

IT Training and Certification: Insights and Opportunities is available at no cost to CompTIA member companies. It can be accessed at CompTIA.org or contact research(at)comptia(dot)org.

About CompTIA
CompTIA is the voice of the world’s information technology (IT) industry. Its members are the companies at the forefront of innovation; and the professionals responsible for maximizing the benefits organizations receive from their investments in technology. CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy. For more information, please visit www.comptia.org.

Contact:
Steven Ostrowski
Director, Corporate Communications
CompTIA
630-678-8468
sostrowski(at)comptia(dot)org

Episode 37 – Planning Your Business Part 1

Today we’re going to talk with an IT service provider who created a business plan, learn how he did it and find out how his business plan helped his business become more successful. Part 1 of a four part series.

TechPodcasts Promo Tag :10
Intro 1:17
Billboard 3:40

News and Comment segment 5:18
OnForce released their Services Market Index for the third quarter of 2009 October 21. The OSMI Q3 2009 report is available for download at http://www.onforce.com/OSMI/Q309.

IObit is giving away full one-year licenses of Security 360 Pro anti-malware utility until November 11, 2009. To obtain a free license, go to http://db.iobit.com/license-free/win7-special-offer.php

Sponsor: Try GotoAssist Express free for 30 days! For this special offer, visit www.GotoAssist.com/techpodcast.

NASBA is now offering a free 60-day trial version of security software from Kaspersky Lab for resellers throught D&H Distributing.

Microsoft released Windows 7 October 22.

Commercial Break 1:00
Get Great Web Hosting at GoDaddy.com and save 10%! Listen for the discount code in the show. GoDaddy.com 1:00

Intro to Topic 1:58
Today we’re going to talk to Pat Palmer of The Computer Guy, learn about his business, hear how he took a course in business planning and find out how he created a plan for his business that helped him become more successful. Part 1 of a four part series.

Interview with Pat Palmer 15:45

Episode 38 Part 2 Teaser :25

Wrap up and Close :46

Comments, questions or suggestions? Send them in to comments@theforcefield.net. Feedback on this topic will be read by the host and included in future episodes of the show. Visit us at http://www.theforcefield.net !

©2009 Savoia Computer. All rights reserved.

Episode 37 – Planning Your Business Part 1

Today we're going to talk with an IT service provider who created a business plan, learn how he did it and find out how his business plan helped his business become more successful. Part 1 of a four part series.

TechPodcasts Promo Tag :10
Intro 1:17
Billboard 3:40

News and Comment segment 5:18
OnForce released their Services Market Index for the third quarter of 2009 October 21. The OSMI Q3 2009 report is available for download at http://www.onforce.com/OSMI/Q309.

IObit is giving away full one-year licenses of Security 360 Pro anti-malware utility until November 11, 2009. To obtain a free license, go to http://db.iobit.com/license-free/win7-special-offer.php

Sponsor: Try GotoAssist Express free for 30 days! For this special offer, visit www.GotoAssist.com/techpodcast.

NASBA is now offering a free 60-day trial version of security software from Kaspersky Lab for resellers throught D&H Distributing.

Microsoft released Windows 7 October 22.

Commercial Break 1:00
Get Great Web Hosting at GoDaddy.com and save 10%! Listen for the discount code in the show. GoDaddy.com 1:00

Intro to Topic 1:58
Today we're going to talk to Pat Palmer of The Computer Guy, learn about his business, hear how he took a course in business planning and find out how he created a plan for his business that helped him become more successful. Part 1 of a four part series.

Interview with Pat Palmer 15:45

Episode 38 Part 2 Teaser :25

Wrap up and Close :46

Comments, questions or suggestions? Send them in to comments@theforcefield.net. Feedback on this topic will be read by the host and included in future episodes of the show. Visit us at http://www.theforcefield.net !

©2009 Savoia Computer. All rights reserved.

 

http://media.techpodcasts.com/theforcefield/media.libsyn.com/media/theforcefield/The_Force_Field_37.mp3 

FaxBack Partner Program

FaxBack offers VoIP fax solutions for business, from small offices and workgroups to the enterprise. FaxBack has solutions for real time streaming of fax communications over Internet, Wi-Fi, Cellular and Satellite connections.

FaxBack Authorized Reseller Program can help your IT service business increase profits and expand sales opportunities by offering VoIP fax solutions to your customers.

Free 30-Day VoIP Fax Server Trial.

 

Contact:

FaxBack, Inc.
7409 SW Tech Center Drive
Suite 100
Portland, Oregon 97223

Telephone: 800-329-2225
Fax: 503-597-5399

FaxBack Authorized Reseller Program

Download the Reseller and Partner Application