Michael Ruebner <njus@lunchinglads.net> hath wroth:
>Jeff Liebermann:
>
>> Dumb. WEP can be cracked. Switch to WPA or WPA2 with a long and
>> convoluted pass phrase.
>ACK. I was in the process of switching to a RADIUS setup anyway. However,
>two things: first, I'll have to cover my behind from charges potentially
>arising from the intruder's forays into Kazaa land. Plus, I don't buy into
>that black-hat lore that, just to proof a point, it's ok to pick the
>antiquated lock on my door and help yourself to some free beer...
RADIUS is general overkill for home users. The idea is to just find
an encryption scheme that will prevent anyone from using your access
point. The only real advantage is that WPA-RADIUS will assign a WPA
key that is unique for the session and user. There's no common shared
key that can be sniffed or extracted from a client computer.
>> More, if you want, when I have more time.
>
>Please do. How do you actually 'see' the rouge client? I've been doing
>some Kismet scans around the neighborhood, but all I seem to get are the
>other APs out there.
Yes, but there's a catch. You must have a wireless client that can be
shoved into the promiscuous or monitor modes or it will only sniff
your own traffic. There are plenty of cards and chips that don't. See
the shopping list at:
<http://www.kismetwireless.net/documentation.shtml>
and see if your wireless card qualifies. If not listed, try using
Ethereal or Wireshark to sniff wireless traffic. If they can do it,
then Kismet is sure to work.
Note that Kismet can sorta be forced to work under Windoze with Cygwin
and AirPcap. $200. I haven't tried it:
<http://www.cacetech.com/products/airpcap.htm>
As for direction finding, a few more tips:
Take some time and effort to shield the receiver. From my experience,
that means a metal case or an aluminium foil mummy. It's not a
problem when the signal is weak, but drives me nuts when I get close
and there's more signal going directly into the receiver than in
through the antenna. You'll also need an RF attenuator when close as
it's easy to overload the typical wireless chips.
Practice on a known client before trying it for real. In particular,
play with different antennas. You'll get some surprises. For
example, the 24dBi dishes all have a boresight error which causes the
maximum lobe to be a few degrees off. It's not much, but it's enough
to cause some confusion.
Also, dish antennas have nasty side lobes which are not much of a
problem at a distance, but drive me nuts when I'm in close. It's
often easier to use a lower gain antenna, but with fewer side lobes.
Get used to swinging the dish, estimating direction, identifying
reflections, dealing with attenuators, making sure you're actually
locked onto the correct client radio, and working with maps. It's
really more of an art than a science. I have some product ideas that
will make it easier, but I'm not terribly thrilled with the prospect
of training all the customers.
If the piggy backer is using a 24dBi dish antenna or other high gain
antenna, you've got a potential problem. Unless you're very close,
you'll need to be directly in line with their RF pattern or you won't
hear anything with your sniffer. That's a big headache if they're
several floors off the ground. You're also very likely to be chasing
a reflection instead of the main beam. However, once you locate the
main beam between the attacker and the AP, finding them is easy. The
beam is only about 5 degrees wide for a 24dBi dish and points directly
at the culprit. I use a 30ft fiberglass window washing pole with a
14dBi panel or dish antenna on top. It's great fun explaining it to
the police and security guards. Be prepared with some documentation,
any documentation. Nothing you say will be believed, but
documentation carries some kind of mystical weight.
Kismet and other signal level meter indicators are slow. That makes
swinging the antenna and finding a peak on the fly impossible.
However, a spectrum analyzer or signal strength meter has a much
faster response. The problem is that with a mess of wi-fi signals
floating around the area, it's very easy to end up chasing the wrong
signal. I solve this by using a power divider and looking at both
Kismet and the spectrum analyzer display. That also takes some
practice, but is better than wasting the day finding the wrong radio.
Various companies have TDOA (time difference of arrival) tools for
locating wi-fi clients.
<http://www.ekahau.com>
They work quite well in a non-reflective and interference free
environment. They're kinda marginal in a highly reflective and
interference infested outdoor environment. However, they have one big
advantage in that you know exactly which client or AP you're chasing.
One trick I've used recently for finding a piggy backer is to
intentionally spoof the access point with SoftAP, HostAP, or similar
program.
<http://www.nat32.com/nat32e/htm/softap.htm>
<http://hostap.epitest.fi>
<http://wireless.gumph.org/content/4/7/071-linux-based-ap.html>
I set it for the same MAC address and SSID as the real access point
and turn off the real AP. I then use Netstumbler to extract signal
strength statistics from the client for direction finding. This has
to be done when the piggy backer is offline or they'll notice the loss
in internet connectivity. It hasn't been very successful for me, was
a mess to configure, but shows some promise.
Good luck.
--
Jeff Liebermann
jeffl@cruzio.com
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
802.11 Direction Finding 
Linear Mode
