Monday, February 20, 2006

Wireless FreeBSD 6.0 Update

While preparing for my Network Security Operations class tomorrow, I decided to take a closer look at the state of a few wireless security tools on FreeBSD 6.0. I've used bsd-airtools, specifically dstumbler, before, but I started getting this error when invoking the program with 'dstumbler wi0 -o' as I usually do:

error: unable to ioctl device socket: Invalid argument

Running without '-o' removed the error, but I didn't see any wireless networks. I found that dwepdump also saw no wireless networks. prism2dump, however, still works:

orr:/root# ifconfig wi0 up
orr:/root# prism2ctl wi0 -m
orr:/root# prism2dump wi0
prism2dump: listening on wi0
- [ff:ff:ff:ff:ff:ff <- 0:3:52:f0:b7:60 <- 0:3:52:f0:b7:60]
- port: 7 ts: 208.281597 2:42 10:0
- sn: 45728 (6:f:d8:99:2d:fb) len: 55
- ** mgmt-beacon ** ts: 208.281655 int: 100 capinfo: ess
+ ssid: [STSN]
+ rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0
+ ds ch: 11
+ dtim c: 0 p: 1 bc: 0 pvb: bfbfea15

- [ff:ff:ff:ff:ff:ff <- 0:3:52:f0:b7:61 <- 0:3:52:f0:b7:61]
- port: 7 ts: 208.282482 2:39 10:0
- sn: 28096 (b:16:bc:69:49:f) len: 75
- ** mgmt-beacon ** ts: 208.282540 int: 100 capinfo: ess priv
+ ssid: []
+ rates: 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0
+ ds ch: 11
+ dtim c: 0 p: 1 bc: 0 pvb: bfbfea15

A new feature of the FreeBSD ifconfig is its ability to list networks, using the following syntax:

orr:/root# ifconfig wi0 list scan
SSID BSSID CHAN RATE S:N INT CAPS
STSN 00:03:52:f0:b7:60 11 0M 0:0 0

I also found that I could see both IEEE802_11 and IEEE802_11_RADIO traffic.
orr:/root# ifconfig wi0 mediaopt monitor channel 11 up
orr:/root# tcpdump -i wi0 -L
Data link types (use option -y to set):
EN10MB (Ethernet)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)
orr:/root# tcpdump -n -i wi0 -y IEEE802_11
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11 (802.11), capture size 96 bytes
16:36:22.913885 Beacon (STSN) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11
16:36:22.914938 Beacon () [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY

orr:/root# tcpdump -n -i wi0 -y IEEE802_11_RADIO
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes
16:42:04.826729 1.0 Mb/s 2462 MHz (0x00a0) 43dB signal 1dB noise Beacon (STSN)
[1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11
16:42:04.827783 1.0 Mb/s 2462 MHz (0x00a0) 38dB signal 1dB noise Beacon ()
[1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 11, PRIVACY

That's nice, but I wanted to be able to easily find wireless networks again. Enter Kismet. I hadn't tried Kismet on FreeBSD since the port was added, but I gave it a whirl.

The first thing I needed to do was set up a few configuration files.

orr:/usr/local/etc$ diff kismet.conf.sample kismet.conf
13c13
< suiduser=your_user_here
---
> suiduser=richard
22c22
< source=none,none,addme
---
> source=radiotap_bsd_b,wi0,SMC
34c34
< channelvelocity=5
---
> channelvelocity=1

You'll notice I put my userid 'richard' in place, and I configured the radiotap source for my wireless NIC. I changed the channel hopping velocity from 5 per second to 1 per second. At 5 per second my old laptop was running the Kismet server at over 100% CPU.

That was all I needed to do. Next I ran Kismet.

orr:/home/richard/kismet$ sudo kismet
Server options: none
Client options: none
Starting server...
Waiting for server to start before starting UI...
Will drop privs to richard (1001) gid 1001
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (SMC): Enabling monitor mode for radiotap_bsd_b source interface wi0 channel 6...
Source 0 (SMC): Opening radiotap_bsd_b source interface wi0...
WARNING: pcap reports link type of EN10MB but we'll fake it on BSD.
This may not work the way we want it to.
WARNING: Some Free- and Net- BSD drivers do not report rfmon packets
correctly. Kismet will probably not run correctly. For better
support, you should upgrade to a version of *BSD with Radiotap.
Spawned channelc control process 1604
Dropped privs to richard (1001) gid 1001
Allowing clients to fetch WEP keys.
Logging networks to Kismet-Feb-20-2006-6.network
Logging networks in CSV format to Kismet-Feb-20-2006-6.csv
Logging networks in XML format to Kismet-Feb-20-2006-6.xml
Logging cryptographically weak packets to Kismet-Feb-20-2006-6.weak
Logging cisco product information to Kismet-Feb-20-2006-6.cisco
Logging gps coordinates to Kismet-Feb-20-2006-6.gps
Logging data to Kismet-Feb-20-2006-6.dump
Writing data files to disk every 300 seconds.
Mangling encrypted and fuzzy data packets.
Tracking probe responses and associating probe networks.
Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf
Reading client manufacturer data and defaults from /usr/local/etc/client_manuf
Using network-classifier based data encryption detection
Dump file format: wiretap (local code) dump
Crypt file format: airsnort (weak packet) dump
Kismet 2005.08.R1 (Kismet)
Logging data networks CSV XML weak cisco gps
GPSD cannot connect: Connection refused
Listening on port 2501.
Allowing connections from 127.0.0.1/255.255.255.255
Registering builtin client/server protocols...
Registering requested alerts...
Registering builtin timer events...
Gathering packets...
Starting UI...
Looking for startup info from localhost:2501.... found.
Connected to Kismet server 2005.08.R1 on localhost:2501
Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf
Reading client manufacturer data and defaults from /usr/local/etc/client_manuf

Soon I had networks appear. I sorted them by channel so I could select individual networks for inspection. Here is the default screen.



Here are details for one of the channels.



Kismet seems to be perfect for wireless network discovery. The only problem I found is that it does not work with the ndis driver I must use with my Linksys WPC54G ver 3 adapter.

No comments: