ith wireless networks beginning to dominate both home and corporate networking, new challenges on the security front are inevitable. The first step in securing a wireless network is determining the state of the network (without any prior knowledge) and then providing a defense against intrusions. Enter Scapy
, an excellent packet-crafting tool written in Python by Philippe Biondi. Unlike other sniffers such as Kismet
, Scapy is scriptable and extremely easy to use.
This article outlines a methodology for wireless network assessment and intrusion detection using proven techniques with tools such as Scapy.
The Methodology: Passive Sniffing
A wireless network consists of several stations, which can be divided into two categories: access points and NICs (network interface cards). These stations communicate using IEEE 802.11 standards. The 802.11 packets that the stations transmit consist of three types of frames: management, control, and data. Each of these frames contains critical information that can help in establishing and managing communication channels between stations.
A wireless network assessment methodology can employ one of two techniques:
- Passive sniffing This is done by sniffing wireless traffic in RF monitor mode to capture frames. By analyzing frames one can enumerate networks, harvest information, determine weak areas, and map possible attack vectors.
- Active packet injection You can build an attack plan on this type of passive data collection. The plan would involve performing raw packet injection in the air at Layer 2 (Data Link) of the Open System Interconnection and observing the resulting network or product behavior. This can lead to detecting vulnerabilities such as types of buffer overflow or authentication bypass.
This article discusses a passive-sniffing methodology. The following are the steps for this approach:
- Set up a station for RF monitor mode
- Sniff packets and discover network access points
- Discover hidden access points and SSID (service set identifier)
- Harvest MAC and IP addresses
- Perform ongoing intrusion detection with sniffing
Setting Up the Station for RF Monitor Mode
When you set up a station for RF monitor mode, its NIC should be able to sniff the 2.4 GHz spectrum to capture 802.11 packets. Most 802.11a/b/g NICs have this capacity. For example, this article uses Linux to set up the NIC and the Linux kernel contains a driver to handle this capability.
Here is the command to put the interface in monitor mode:
root@bluelinux:/home/shreeraj/wifi# iwconfig eth1 mode monitor
root@bluelinux:/home/shreeraj/wifi# iwconfig eth1
eth1 IEEE 802.11b ESSID:"" Nickname:"Prism I"
Mode:Monitor Frequency:2.462 GHz Access Point: Not-Associated
Bit Rate:11 Mb/s Sensitivity:1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Link Quality=76/92 Signal level=-26 dBm Noise level=-149 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Note: For madwifi, you may need to use the wlanconfig command to set it up.
Next, you need to define a channel or frequency on which to perform the packet sniffing. Use the following command (example for channel 11):
root@bluelinux:/home/shreeraj/wifi# iwconfig eth1 channel 11
You also can channel-hop to sniff different channels by assigning a slice of time to each of them.