For $40, anyone can purchase a cheap wireless AP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points, which allow them to bypass the pesky firewall and remotely access the network later on. These days, disgruntled employees can easily hide an AP behind the file cabinet before cleaning out their desks, and then access the company network months later from the parking lot.
Many companies conduct regular “war-walking” scans to detect rogue access points (ie. using Kismet or Netstumbler), or invest in commercial Wireless Intrusion Detection Systems (WIDS). However, there are sneaky ways to bypass traditional war-walking and WIDS systems. Recently, I took Josh Wright’s excellent “Wireless Ethical Hacking” SANS class, and he touched on a number of tricks that attackers can use to foil your company’s rogue WAP detection efforts. Here are a few:
1) Channel 14
In the United States, the FCC has licensed 11 channels for 802.11b/g, which have center frequencies between 2.412 GHz to 2.462 GHz. However, most of Europe allows 13 channels (up to 2.472 GHz), and Japan allows 802.11b all the way up to channel 14, or 2.484 GHz.
Cards manufactured for the United States often don’t support channel 14, since it’s illegal to transmit on that frequency. There’s overlap between the channels, but at 2.484 GHz, channel 14 is far enough away from channel 11 that network cards are unlikely to pick up much signal on channel 11. If an attacker were to configure an AP to illegally transmit on Channel 14 and export data at 2.484 GHz, security teams monitoring US channels would probably never detect it.
2) 802.11n Green Field mode
The IEEE has been hard at work on the 802.11n (“MIMO”-based) specification, which allows much greater throughput than 802.11a/b/g (100Mbps or more). The draft 802.11n standard specifies two modes:
- “Mixed-mode,” which allows it to work with legacy 802.11a/b/g networks;
- “Green Field” or “high-throughput only” mode, which takes full advantage of the enhanced throughput but is not visible to 802.11a/b/g devices. Older devices will see GF-mode traffic only as noise.
Not visible to 802.11a/b/g devices? That means if you’re war-walking with an 802.11a/b/g card, you can’t see 802.11n devices operating in Green Field (GF) mode. The specification hasn’t even been finalized, but 802.11n devices are already available for as little as $50– easy to buy, easy to plug into your company’s network. However, most companies have not yet purchased 802.11n-compatible equipment and hence can’t detect GF-mode 802.11n rogue APs.
Josh published a vulnerability report explaining this, in which he wrote: “With the inability to decode GF mode traffic, an attacker can position a malicious rogue AP on a victim network using the GF mode preamble. This would allow an attacker to evade wireless intrusion detection systems (WIDS) based on non-HT devices. This includes all WIDS devices based on 802.11a/b/g wireless cards.”
3) Bluetooth Access Point
If you’re like me, when you think about Bluetooth you envision your tiny little headset which crackles and hisses every time you walk too far away from your phone. That’s because your Bluetooth headset is designed for a Class 2 Bluetooth network, which is fairly low-power and has a maximum range of ~10M.
However, there’s more to Bluetooth than your rinky-dink headset. Bluetooth Class 1 devices are much more powerful, with ranges similar to 802.11b wireless APs. A Bluetooth Class 1 device can transmit up to 100mW, with a typical range of ~100M (or miles, if the receiver has a directional antenna).You can buy a Class 1 Bluetooth AP for $100-200.
Can you discover Bluetooth APs while war-walking? Not if you’re just using an 802.11 card. Even if you’re using a spectrum analyzer like WiSpy, you may not notice it. Bluetooth uses Frequency Hopping Spread Spectrum, and hops 1600 times a second throughout the 2.402-2.480GHz band. Because it’s spread out across the spectrum, it can be hard to notice and easily mistaken for noise by the untrained eye. Most Wireless IDS systems and security teams simply don’t look for it (yet).
4) Wireless Knocking
This is my favorite. Remember port knocking? Instead of installing a backdoor to listen on a particular port (where it might be noticed), l33t h4x0rs installed rootkits that would wait for a particular sequence of ports to be scanned, at which point the knocker’s IP address would be granted access. “A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened… That equates to approximately 655354 packets in order to obtain and detect a single successful opening. That’s approximately 18,445,618,199,572,250,625 or 18 quintillion packets.” (Wikipedia)
With wireless knocking, a rogue AP sits on the network in monitor mode, listening for probe requests. When the rogue AP receives a packet (or sequence of packets) with the preconfigured SSID, it awakens and switches to master mode. The program “WKnock” is designed for this purpose, and it can be installed on any AP supported by the OpenWRT framework. During times when the rogue AP isn’t active, it is silent and can’t be detected using common wireless scanning tools.
If you want to learn more about wireless attacks and defense, I definitely recommend Josh Wright’s class – SANS 617.
|PGP-signed text: 2009-03-09 (current)|