Detecting Rogue Wireless

April 28, 2008 – 6:10 PM

Wireless networking technologies are a rich playground for hackers — both ethical penetration testers and malicious attackers. There are many avenues of attack, ranging from attacking the infrastructure, the clients, or the actual traffic through man-in-the-middle sniffing and manipulation. Rich Mogull covered the wireless “Evil Twin” attack in his recent “Hacking WiFi” column, where he describes a malicious wireless network set up to spoof a legitimate one to exploit users’ vulnerable Web browsers or to steal their credentials.

What about wireless attacks closer to home — as in your enterprise network? There are protections you can put into place on clients that limit what access points they can connect to based on name, MAC address, and network characteristics such DNS, gateway, and subnet. What would happen if someone plugged a wireless access point (AP) into your network? Maybe you’ve got some sort of NAC-ish solution to prevent it from getting an IP, but suppose an attacker found a rarely used network printer, changed the MAC address on the AP to match the printer, and plugged it in?

This is one of the many attacks that Paul Asadoorian and Larry Pesce of the popular PaulDotCom Security Weekly podcast have been researching over the last year as they put together their book, “Linksys WRT54G Ultimate Hacking,” and developed a course for the SANS Institute, “Network Security Projects Using Hacked Wireless Routers.” I caught the last half hour of Larry’s SANS course in Orlando and was able to spend a few minutes talking with him. They’ve done some impressive work and the clever ways of hiding rogue access points in common everyday office spaces are interesting.

How do you find these rogue devices on your network? Larry suggested a combination of several techniques, including regular scanning with a laptop and Kismet, some fixed scanning with a machine monitoring for new networks (as simple as your own hacked WRT54G running Kismet), wired-side scanning looking for access points plugged into the network, and setting policies against plugging wireless APs (though malicious attackers don’t care about policies).

Take a look at your DHCP and switches for MAC addresses that don’t fit the common hardware profile of your machines. Do some scanning of your own with Kismet and a laptop. Or give RogueScanner a try. Hopefully, you won’t find anything suspicious, but with the proliferation of wireless devices now, I wouldn’t be surprised if you did.

Source: Dark Reading

You must be logged in to post a comment.