Wednesday, May 31, 2006

Wardriving Counter-Measures

~~Random Wardriving Countermeasures~~

-Firstly..-
~Implement a reasonable and enforceable wireless security
policy that forbids unauthorized wireless devices, and
enforce it.

-Kismet-
~Kismet sees and records the Probe Request. So here is
your first countermeasure. Get yourself Kismet and look
for others probing your wireless network. Commercial
products like AiroPeek can help as well.

-Disabling probe responses-
~When a workstation starts, it listens for beacon
messages to find an access point in range to send
a beacon to. Even though the access point is sending
about 10 beacons a second, this is not always enough
to detect them because the workstation has to monitor
11 channels by going to each channel and waiting 0.1
seconds before moving to the next channel. Further,
when your authenticated access point’s signal starts
to weaken, your workstation needs to find another
access point. For this reason, the 802.11 standard
authors created the Probe Request. Your workstation
can send a Probe Request, which any access point in
range will respond to with a Probe Response. The
workstation quickly learns about all access points
in range. Now imagine that you’re not trying to
associate, but you’re just trying to find access
points in range, and you understand how NetStumbler
works. So, the countermeasure is quite obvious:
Turn off Probe Response on your access point.

-Increasing beacon broadcast intervals-
~The beacon interval is a fixed field in the management
frame. You can adjust the field to foil the fumbling
stumblers. If someone drives by your access point and
his or her device has to search all the channels and
land on each for 0.1 seconds, then again the
countermeasure is intuitive: Increase the beacon
broadcast interval. This increases the likelihood
that they won’t grab your beacon when driving by.

-The HoneyPot, Fake'em Out-
~The term honeypot harkens back to childhood, Winnie
the Pooh and his love for honey. Perhaps you remember
how he found a pot of honey, put his head in, and got
stuck. Imagine this same concept applied to your
wireless network. You put an attractive system on
the network to draw hackers like a Pooh-bear
to honey. Invite the hackers in. While the hackers
are exploring the system, you watch them and try
to learn about them or their behavior. You can learn
about honeypots by clicking here .
It’s easy really to setup a honeypot system. Install
some access point software on a computer and then
create directories with names like Payroll or anything
that may grab the 'Hackers' attention.

-Warning-
~Human nature suggests you might want to strike back
when you find someone attempting to breach your security.
This is not a good idea. You cannot fight back and you
might not want to anyway. Crackers often take over other
sites so you may harm an innocent party. If you have
evidence that someone is attempting to break in, contact
the Secret Service, the FBI, or your local law enforcement
agency.

-Turning The Tables-
~As we often see, security tools are double edged.
Hackers have used Fake AP against hotspots. The hacker
runs Fake AP on a laptop near a hotspot, say at a
Starbucks. The clients wanting to use the Starbucks
hotspot cannot discern the real access point from the
cacophony of signals. This results in a denial of service
to the hotspot’s clients.

-Default SSID-
~Don’t turn on WEP and use a default SSID like linksys.
Scanning almost anywhere in the world will no doubt bring
up at least one system using the default SSID (ie linksys).
A program like Fake AP (click here for AP info)
is useful for this purpose. If one access point is good,
then more is better. Black Alchemy developed Fake Access
Point, which generates thousands of counterfeit 802.11b
access points. Your real access point can hide in plain sight
amongst the flood of fake beacon frames. As part of a honeypot
or flying solo, Fake AP confuses NetStumblers and others.
Because stumblers cannot easily determine the real AP, the
theory is that they’ll move on to the real low-hanging
fruit, your neighbors. Fake AP runs on Linux and requires
Perl 5.6 or later. If you’re not Linux-inclined and prefer
the Windows platform, you could use Honeyd-WIN32
(click here for Honeyd- windows platform), which creates
fake access points and simulates multiple operating systems.
And if you have some change burning a hole in your wallet,
try KF Sensor .

-The NeverEnding Search-
~Searching for unauthorized systems is often a matter of
timing and luck. You may find nothing during some walkthroughs
and several unauthorized systemsduring others. If at first
you don’t find anything suspicious, keep checking:
The unauthorized system could be temporarily powered
off at the time of your search.

-Wireless Intrusion Detection System-
~Use a full-fledged wireless intrusion-detection system
(WIDS) or network monitoring system that can find wireless
network anomalies, prevent bad things from happening, and
alert you in real time. Control access to authorized wireless
devices only by one or more of the following:
• MAC address
• SSID
• Communications channel used
• Hardware vendor type