Last day to save $500 for SANS San Diego 2013

SANS Intrusion Detection FAQ: Intrusion detection on wireless network?

David Dobrotka
Introduction

The IEEE 802.11b wireless LAN standard has become the de-facto for wireless network communications medium. The availability of inexpensive equipment coupled with wire-like network bandwidth and ease of use has driven rapid adoption by corporate and SOHO users. Unfortunately, the rapid implementation of this wireless technology is having other, unintended consequences.

Historical Context

Brought into the public eye 20 years ago by the movie War Games, war dialing, or systematically dialing ranges of phone numbers to discover computer systems, continues to plague corporate America. War dialing will often discover modems attached to corporate desktops, which are in turn connected to the corporate LAN. These computers are often loaded with remote control software, such as PCAnywhere or Carbon Copy, allowing the individual dialing the modem to control the remote computer as if they were sitting at the keyboard.

A similar situation is beginning to develop with wireless technology. Business units or individuals install wireless access points (AP), acting as bridges to the corporate LAN, broadcasting to anyone with a $50 wireless network card and a laptop, up to three football fields distant. “War driving,” like its cousin described above, allows those with the tools described here to find, catalog, and access vulnerable wireless APs, and possibly gain access to any physically connected network, from the relative anonymity of a rental car in the parking lot.

Objective

The scenario described above is but one of the threats which an intrusion detection analyst must consider. First, however, we must ask a more fundamental question: what is intrusion detection when applied to wireless networks? Intrusion detection systems collect information about observable or auditable events, which are then analyzed and correlated to determine things like cause or motive. Therefore, in order to provide a basis for wireless intrusion detection, we must first determine what can be observed and collected for analysis. This paper will discuss several rudimentary events which could be captured by a wireless intrusion detection system and present a survey of tools to accomplish those tasks.

This is not your father’s network

Current intrusion detection solutions rely on the relatively static and contained nature of wired networks. Potential intruders would need to gain physical access to a network jack or logically enter the network through well-defined pathways. Placing intrusion detection sensors was a matter of finding (or creating) places where all or most network traffic transited. These assumptions are no longer valid for wireless networks.

The IEEE 802.11 standard [1] defines two types of wireless network topologies: Independent Basic Service Set (IBSS, or “ad hoc”), and Basic Service Set (BSS, or “infrastructure”). The IBSS topology involves two or more wireless stations communicating peer-to-peer (Figure 1).


Figure 1


Figure 2


The BSS topology (Figure 2) adds an AP attached to a “distribution system” (usually a network, like Ethernet); all communications route through the AP.

An ad hoc network has some obvious disadvantages for intrusion detection. Yongguang Zhang and Wenke Lee have written an excellent paper [2] addressing this particular problem. They outline several fundamental issues with wireless ad hoc networks:

  • Wireless stations are all independent nodes. Each must be responsible for it’s own protection from attack and compromise. Compromising only one node or introducing a malicious node may affect the viability of the entire network.
  • No central point exists from which to monitor all network traffic.
  • Differences between normal and anomalous traffic patterns may be indistinguishable. The mobile nature of the wireless stations can make legitimate network traffic appear suspect.
Zhang and Lee propose an architecture in which all nodes act as independent IDS sensor; able to act independently and cooperatively. Events are generated from a local detection engine. If analysis of the events are inconclusive or require more information, other, local sensors can be utilized. Each independent sensor has six modules, three of which pertain to intrusion detection:
  • data collection: the types of raw data the detection engines will utilize includes system and user activities, local communication activities, and “observable” (nodes within range) communications activities
  • local detection – since it will be difficult to maintain and distribute an anomalous signature database, Zhang and Lee propose defining statistically “normal” activities specific to each node, which will therefore reside locally on each node.
  • cooperative detection. If the local detection engine does not have enough evidence to alert on a suspected problem, it can ask other nodes for assistance. Information describing the detect gets propagated to neighboring nodes. Evidence returned from neighboring nodes can be used to create a new evaluation of the detect.

Infrastructure mode is where current intrusion detection methodologies and collection techniques become useful. Since all traffic transits through the AP, close proximity to the AP becomes a logical choice to place a sensor. Since 802.11b is essentially just another physical medium, the AP acts as a bridge – translating 802.11b frames to 802.3 (or some other network medium) frames, and vice versa. Data encapsulated at higher layers is unchanged. To collect events of interest at Layer 3 and above, one can rely on current tools, such as tcpdump. To look at frame information, however, each tool must be able to interpret the medium frame type.

Events of Interest

Several events of interest would be of obvious interest to an analyst monitoring an access point (it is assumed the reader has sufficient knowledge of the 802.11 standard; please see [1] and [3] for details).

General MAC Frames

Like IP packets, 802.11 frames [1] carry enough useful information to warrant monitoring.

Beacon Frames (Type 00, Subtype 1000)

“Beacon” frames are regularly transmitted by the AP, and contain information needed by a wireless station to begin the association/authentication process. An analyst may wish to analyze these frames to monitor for rogue access points or other potentially malicious traffic.

Capturing beacon frames is similar to sniffing network traffic on an Ethernet segment. The network card must be in promiscuous mode, but does not necessarily need to have a network address assigned to it. It can capture data, but is virtually invisible to everyone else on the network. The following tools are specifically built for this task (your mileage may vary):

airosniff: 

http://gravitino.net/~bind/code/airosniff/

 

Airosniff can be used to assist in the identification of wireless networks by sniffing SSIDs. Airosniff, for the Cisco Aironet card allows one to seek out wireless networks, auto-config the card for sniffing and perform access point vendor identification.

netstumbler: 

http://www.netstumbler.com/

Windows-based AP discovery tool; excellent GUI, easy to use

Wavelan-tools

http://sourceforge.net/projects/wavelan-tools/

802.11 network tools - allow for detection of networks and services initially using wireless extensions for linux (openbsd porting simple?) and raw 802.11 frames. initial support is for the wavelan/orinoco card and plan support for aironet cards

bsd-airtools

http://www.dachb0den.com/projects/bsd-airtools.html

 

bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd port of airsnort for wep cracking (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points, view signal to noise graphs, and interactively scroll through your scanned ap's and view statistics for each. And recently, we've added a couple new tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.

APTools

http://aptools.sourceforge.net

APTools is a utility that queries ARP Tables and Content-Addressable Memory (CAM) for MAC Address ranges associated with 802.11b Access Points. It will also utilize Cisco Discovery Protocol (CDP) if available. If a Cisco Aironet MAC Address is identified, the security configuration of the Access Point is audited via HTML parsing.

IBM Wireless Security Auditor  http://www.research.ibm.com/gsal/wsa/

 

WSA is an IBM research prototype of an 802.11 wireless LAN security auditor, running on Linux on an iPAQ PDA.  WSA automatically audits a wireless network for proper security configuration, to help network administrators close any vulnerabilities before the hackers try to break in. 

WSA is not a packet dump/analyzer; it does all the necessary packet monitoring and analysis, and provides the user with just the answers to the important management questions.  The results are color coded (green is good, red is bad) for rapid and easy understanding.

(Thanks to http://www.personaltelco.net/index.cgi/WirelessSniffers)
Association and Authentication (Type 00)

Once an attacker collects an SSID, they may wish to return and actually use the wired network your AP is attached to. In order to do that, the attacker must begin the association and authentication process.

The first frame to be sent by the wireless station is an Association Request Management frame (subtype 0000), to which the AP responds with an Association Response Management frame (subtype 0001). The association response frame contains a 2-byte status code – “0” means success, while all others indicate a problem. Also, the attacker’s MAC address has been transmitted over the wireless medium. Analyzing association/authentication response codes and capturing MAC addresses would also be a good basis for intrusion detection events. 802.11b packet analysis tools are now required to capture and display this information. Tools which perform this function include:

Ethereal (Linux or FreeBSD)

http://www.ethereal.com/

Ethereal is a GUI sniffer which understands 802.11b frames.

Mognet

http://chocobospore.org/mognet/

 

Mognet is a free wireless ethernet sniffer/analyzer written in Java

Features include:
  • Realtime output of captured frames.
  • Detailed description of any frame, including all IEEE 802.11 generic and frame-specific headers.
  • Raw hex and ascii dump of any frame.
  • Space-efficient presentation of information for convenient operation on handhelds.

Airopeek from Wild Packets (Windows)

http://www.wildpackets.com/products/airopeek

 

"Airopeek is a comprehensive packet analyzer for IEEE 802.11b wireless LANs, supporting all higher level network protocols such as TCP/IP, Appletalk, NetBEUI, and IPX. Affordable and easy-to-use, Airopeek contains all of the network troubleshooting features familiar to users of our award-winning Etherpeek. In addition, Airopeek quickly isolates security problems, fully decodes 802.11b WLAN protocols, and expertly analyzes wireless network performance with accurate identification of signal strength, channel and data rates."

 

Sniffer Wireless from Network Associates Technology, Inc. (Windows)

http://www.sniffer.com/products/wireless/default.asp?A=5

 

 

"Sniffer Wireless was designed in accordance with the IEEE 802.11b interoperability standard. It includes network monitoring, capturing, decoding, and filtering-all the standard award-winning Sniffer Pro features you already know and appreciate. Sniffer Wireless also provides the most comprehensive 802.11b solution to the unique aspects of wireless networks. Sniffer Wireless is the industry-first Wireless LAN management tool that can spot security risks in real-time, identify network problems efficiently and reduce network-operating costs."

Here is Mognet in action:

ARP

The address resolution protocol (ARP) is used to map an IP address to a corresponding hardware address [4]. Arpwatch (http://www-nrg.ee.lbl.gov/) is a tool which monitors changes to this information and can be used as a source of detection data. When applied to a wireless access point [5], arpwatch could be used to obtain information about wireless stations already authenticated and associated with the AP. Once a packet enters the wired side of the AP from the wireless side, interesting traffic may begin to appear. For example, Richard Johnson (http://www.monkey.org/openbsd/archive/ports/0012/msg00098.html) noted:

You'll see a lot of the following if you're watching ARPs from across an 802.11b wireless bridge to a 10baseT LAN or the like: ethernet mismatch

The source mac ethernet address didn't match the address inside the arp packet.
The source MAC addr on the packet will of course be that of the wireless<->ethernet bridge, while the MAC addr inside the packet will be the other host's actual ethernet MAC addr.
Analysis

Due to the large amount of raw data that will be collected by these tools, the analyst will be forced to develop procedures to reduce it. Statistical methods must be employed to bring order to the data. The anomaly detection routines described by Zhang and Lee [2] and XXX could be applied here. For example, given a fixed time period, tally the number of Association/Authentication requests and Association/Authentication response status codes and corresponding MAC address for typical network situations. This is called a “normal profile” in [2]. Other profiles not fitting this typical profile can be alerted to the analyst. In this case, a large number of Authentication response codes of 15 (Authentication rejected because of challenge failure), over a short period of time (both “large” and “short” will be defined by the normal profile), with the same source MAC address, should generate an event.

Conclusion

The process, methodology, and tools described above simply scratch the surface of wireless intrusion detection. This paper has described the most rudimentary form of wireless intrusion detection for the most basic network architecture– detecting wireless stations associating with an access point attached to a wired network. Much more work needs to be done develop the state of wireless intrusion detection. With the increasing popularity of “war driving”, this capability will certainly be required to help protect our wireless infrastructure.

References
  1. ANSI/IEEE. “IEEE Standard for Information technology. Telecommunications and information exchange between systems. Local and metropolitan area networks. Specific requirements. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.” 1999.
  2. Zhang, Yongguang, Wenke, Lee. “Intrusion Detection in Wireless Ad-Hoc Networks.” Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking. 2000.
  3. Arbaugh, William A., Shankar, Narendar, Wan, Y.C. Justin. “Your 802.11 Wireless Network has No Clothes.” Department of Computer Science, University of Maryland. 31 March 2001.
  4. Stevens, W. Richard. TCP/IP Illustrated, Volume 1. Massachusetts: Addison-Wesley. 1994.
  5. Shipley, Peter. Interview. http://www.starkrealities.com/shipley.html. 31 July 2001.

SANS Training should be attended by all IT staff as they have a wealth of knowledge to give.
-Leigh Lopez, CSVN

SANS CDI 2013 - DC

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

#4 Tip on how to convince your boss to let you train online [...]
October 2, 2013 - 2:18 PM

5 Brand NEW classes added to the Cyber Defense Initiative li [...]
October 2, 2013 - 2:09 PM

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc