WiFi: Rogue AP detection and AP impersonation
Friday November 9, 2007 at 8:17 am CST
Posted by Brad Antoniewicz
In city office environments with residential or even non-residential buildings nearby, rogue detection can be a huge and overwhelming issue. Things get even more complicated when you think about shared office spaces where access points are just a wall away. Commercial wireless intrusion detection systems (WIDS) will allow you to place sensors in multiple locations, which allows the WIDS to perform a sort of triangulation to help identify where these APs may reside. The need for these commercial solutions is understandable when you have a wireless network within your organization, but what happens when you don’t? The threat of rogue access points is still there, and an equally serious threat is AP impersonation attacks, which may target corporate systems with wireless cards.
So what’s a guy to do? As mentioned there are two issues here: rogue access points and AP impersonation attacks. Let’s look at each one.
Rogue Access Points: With highly dense environments, the best method I’ve found for identifying rogue access points is similar to those of wireless intrusion detection systems, except it’s a more manual process. What we’ll do is use a standard wireless adapter with a low gain antenna (there is NO need for a high gain antenna, it’ll only make your life difficult) and a wireless sniffer that will display signal strength. The choice here can be either open source or commercial software. I personally use a commercial tool, AirMagnet’s Laptop analyzer, just because it gives me exactly the data that I am looking for. No matter what, don’t use NetStumbler (remember? Active vs Passive sniffing)! Using a floor map, I’ll mark down roughly 5 -10 single points within the office space and take 2 minute snapshots at each point. Once that’s completed I’ll make an Excel spreadsheet containing every BSSID (MAC address) discovered at every sample point, the capture location, and signal strength. Then I’ll sort by BSSID, and start the correlation. For example, if we have 5 sample points, we’ll look for BSSIDs that have relatively high signal strength (~30) at each sample point or at say 4 of the 5 sample points. Assuming you picked points that are around the perimeter and at least one in the middle, you should have enough information to safely assume that is in your office area. If you see particular BSSID with good signal strength along the outer wall samples, you may assume it is outside. Once you have a list of potential real rogue access points, the hunt begins!
For less dense environments or if you’ve targeted a particular suspected rogue, you can use the “walk aimlessly” technique. Use a low gain antenna so you’re not searching for something that’s 3 blocks away, lock in on the particular channel, the particular BSSID (AirMagnet’s “Find” function is really great for this) and just follow the signal. One helpful technique is to use your body to help identify in which direction the signal is originating from. Wireless signals do not propagate through water, so because the human body is made up of something like 70% water, we can place the card near our chest and turn around to see if the BSSID was originating from in front of us by watching the signal strength. Normally it’ll drop ~10 if it is. The same technique can be used for APs above our location, we can put our hand over the top of the card, or bend over. From a third party perspective, all of this may look a little strange, but remember we’re walking around aimlessly anyway, so people already think we’re weird!
In general, the major fault with rogue detection is if AP’s signal strength is turned way down. There are some cases where you may get lucky and pick it up but alot of times thats not the case. You can also take more sample points and even though it has low signal, it might tip you off that it’s somewhere nearby.
AP Impersonation: I’m writing a nice little whitepaper on WPA Enterprise AP impersonation attacks where you can compromise an EAP/TTLS or PEAP 802.11 network due to one common configuration related issue, so I think it’s time to bring more attention to these types of attacks. AP Impersonation attacks are just as they sound, an attacker will position an access point with a mimicked configuration of your wireless access points and the client will unknowingly connect to the attacker’s AP. This can be used in a number of different ways, but here will just look at one variant.
Without a wireless network in your environment, the only wireless an attacker can target is that of your clients. With the wireless network adapter enabled, the client will constantly send probe requests to see if its configured wireless network is available. By responding to these probe requests, an attacker can trick the client into connecting to the malicious access point. In should be noted that if the network in which the client is probing for is encrypted or requires some sort of authentication (assuming its configured correctly), the attack will be mitigated. However in cases such as an airport wireless network, or “Free Public Wifi”, the client may unknowingly connect to the AP exposing itself to further attacks which may ultimately allow the attacker onto the corporate internal network (assuming the client is hardwired into the internal network at the time of attack). Tools have been around for quite awhile now which display these attacks (i.e Hotspotter and Karma).
The main protection against these attacks is disabling wireless all together, disabling while it’s not in use, or disabling while the Ethernet cable is plugged in. Disabling wireless all together is an excellent idea, unfortunately it may not always be an option. You can disable it while it’s not in use, which really relies on getting your clients used to the manually disabling the adapter before and after its use. Again, may not be very feasible. I recommend the last option where you disable the adapter while the Ethernet cable is plugged in. I know most Dell laptops nowadays will do this automatically, and you can even buy wireless configuration software or client security software that will do this as well. Of course, you always want your clients running a firewall and up to date with the recent patches to further mitigate your risk. It’s also recommended to disable the client software from connecting to ad-hoc networks.
In general, rogue APs are such a widely known threat that often go overlooked. They’re usually discovered when a network engineer or security personnel accidentally connects to one or notices it from its client software. This should not be the case within your organization. Quarterly checks should be put in place to ensure these entry points do not go overlooked and that your clients are not subject to these attacks. Think about it, it’ll only take about one day’s work to protect yourself.