Reloading the WiFi Shotgun

With the recent release of several new wireless exploits, I thought this might be a good time to revisit an "oldie but goodie" security tactic.

I don't' keep statistics on hackers-number, skill level, favorite targets, tools used-and I don't think anyone does (the feds have tried), because it's impossible.  Feel free to try, but you'll probably get hacked.

But I can tell you about the current trends, the major players, the latest exploits and newest tools used in the hacker community; although, this information isn't always the most important. Many IT managers focus on the latest threats and hacks, while sometimes overlooking the more relevant ones.

Most hackers are not very good hackers, and these are the ones to worry about.  The majority are script-kiddies, the wannabes who use automated scripts and obsolete methods.  However, they are persistent, determined, fearless and numerous.  Wireless technology and its potential for anonymity, make this technology a lucrative one for the growing armies of novice hackers.

Tools like Kismet and NetStumbler have simplified the collection and analysis of wireless packets, and setting up rogue APs is relatively easy.  The simplification of wireless attacks has provided fuel for wardriving and made open access hotspots a dangerous place to surf.

Today's corporate networks employ the use of modern WIDS, WIPS, and strong mutual authentication protocols for a multi-layered security strategy.  However, the SMB market often lacks the budget or need for some of these measures; often use of latest encryption protocols will suffice.  Nevertheless, the use of some older prevention measures will often catch hackers by surprise.

Black Alchemy's "Fake AP", originally developed in 2002, uses an interesting technique.  While the wireless card is in master mode, this Linux application broadcasts 802.11 packets, at such a rate, it creates the appearance of thousands of APs.  Occasionally, this was used as an attack tool to flood the radio spectrum, and overwhelm WIDS, with data from the fake rogue APs.  Of course, it was soon adopted strictly as a tool for "security researchers" to perform WIDS stress testing.

Despite its effectiveness, Fake AP's illusionary ability was limited by the wireless card's driver; setting certain fields to defaults, while in master mode.  This resulted in several commonalities in its broadcasted data: frequent resetting of sequence numbers, consistently low multi-sourced BSS timestamps and wireless card identification via temporally repeated support parameters for different beacon frames.  Scanners use this information to flag the fake APs.

However, this problem was overcome through the use of raw socket packet injection, giving birth to Raw Fake AP or rfakeap.  Similar to Fake AP, it provides all the same 802.11 emulation, but with added frame customization.  Specifically, that of creating and injecting, beacon and probe response frames, providing considerable confusion to those wardriving script kiddies.

The scanners most commonly used to invade the airwaves are Kismet and Netstumbler.  The passive scanning employed by Kismet listens for beacon frames,  while the active scanner, NetStumbler, seeks probe response frames.  Therefore, using this tool, one can effectively create a sea of fake APs, which will appear to be real, and frustrate the waves of wireless hackers to the point of exhaustion.

So...when deciding on a new defensive weapon for your arsenal of wireless protection, try reloading your old rfakeap Shotgun, and blast a few thousand APs at those annoying scanners.

How's my WarDriving?    Scan my network of APs and set up your rouges at: greyhat@computer.org