Sunday, March 20, 2011

When your network takes a walk

These days when mobile devices and notebooks are everywhere, networks are more difficult to isolate and a new problem is emerging. Nowadays it’s a common thing that companies give their employees notebooks so they can work remotely or take them when they travel. Many of these companies invest a lot of money and resources to secure their networks, but all that money and resources go to the trash the moment your network takes a walk.
Why is an attacker going to target a protected network if even the most simple information gathering could set all the alarms? Instead he could target the notebooks or mobile devices of the company, after all this devices could have sensitive information, credentials or could provide access to the protected network. After all the ‘owners’ of this devices are not careful with the security of the device outside the company, most of them connect to any network they find only to check their facebook account.

WiFi Geolocation

I knew about IP geolocation, but someone knowing my country is not enough to set on my paranoia alarm. One day i was having fun with an Apple iPad and when i open the Maps application y suddenly freaked out. The iPad knew my exact position, my paranoia alarm is on for sure, this was the cheap iPad so no assisted GPS here.

After some searches on the web I found that this was using access points as if they were cellphone towers to get my position on the globe.
Recently Google got into some trouble[1][2] for their war driving van, aka street view van.
So it’s not new that companies are doing some war driving to make geolocation, but i didn’t believe this could be so accurate and up to date, I was wrong.

But I don’t live in the US, I’m far away from Google street view or companies doing war driving. I’m safe, aren’t I? Again wrong!! It doesn’t matter, apparently some companies are using the users to do war driving for them. I continued my search through the web and found this document, it is theresponse of Apple to query about privacy policy changes, here are some quotes:

Where Have You Been?

Probe Request frames are useful to gather information from Stations. For example, analyzing Probe Request traffic could be use for the following:
  • Finding potential targets for Karma attacks.
  • Finding Stations that had connected to other wireless networks(Hotspots, Open Networks, etc).
  • Finding the OS of Stations with Windows XP, searching for Probe Requests that has the SSID IE set with random binary data[1].
  • Finding possible relations between Stations, through the vendor or the SSID we could find stations belonging to certain network.
  • Finding rogue WAPs.
  • Social Engineering attacks to client Stations owners.

If your wireless network has client Stations that are vulnerable to client attacks, then the network is vulnerable.

WAP fingerprinting: The Wi-Fi Alliance Way

Fingerprinting a WAP(Wireless Access Point) to find the vendor and model is something I have always been interested in. The first way I thought of doing this was by using the oui.txt to find the vendor of the WAP. But knowing the vendor doesn’t give us to much to work with. So one day when I was sniffing I saw some interesting beacon frames:

Simple Access Point Monitor

This is another example of what you can do with some lines of Python and some useful libraries like PcapyPyLorcon2 and Impacket.
This simple scripts monitors the management frames of a particular Access Point, showing on the console the stations who are interacting with the Access Point.
Below we can see an screenshot of the script.

The download link to the complete code is below:

Injecting 802.11 frames with PyLorcon2 and Impacket

Playing with 802.11 frames is usually a thing I do, so I need a simple and direct way to do this. And to test or make prototypes there is nothing like a scripting language. In my case this scripting language is Python.
The solution to my problem where a couple of libraries. PyLorcon2 to inject and Impacket to craft the packets.
Using this two libraries with Python is a really easy and clean way of doing what I need.
As an example the code below show us how to inject Probe Request Frames.