Spy guys

Jon Espenschied

January 12, 2007 (Computerworld) Maybe I'm a little old for it, but I do enjoy the change of pace a big wireless security penetration project provides.  Once or twice a year, I get to put down my thrill-a-minute governance frameworks, quit rockin' out policy advice, and make like the black hats for a week or two. 

There are a few differences between this sort of project and the usual network security assessment.  It also prompts a lot of questions from clients, peers and curious IT staff, most likely because it looks like a lot of fun.  For the most part, it is. 

It goes like this: Instead of heading to Hertz when I hit the ground in a client's city, I hitch a ride over to Penske or a local truck rental outfit and pick up a large plain white van or a midsize box truck for my team.  I'm partial to fiberglass-sided box trucks because they are relatively transparent to radio signals.  This means no external antennas or tell-tale wires trailing out of the cab or back door.

Then we strike out for Goodwill or the local thrift store.  I'm on the frugal side, but I don't fancy sitting cross-legged in the back of a truck for a week. I buy a couple of desks and enough chairs for the consultants that'll be joining us for the exercise, and set them up in the back of the truck. A few twenties will take care of it.  If we're in droll mood and a bit lucky, a couple of disassembled cubicles will fit the bill.

A hefty power inverter (400 or 800 watts) and a couple of power strips heat up the mobile office.  A pass-through door from the cab to the truck box is handy for plugging in a commodity-sized inverter, but a larger one will have to be wired directly to the truck batteries. I will admit to bringing a couple of low-wattage 120 volt LED bulbs to brighten things up with a thrift store granny lamp, and I once bought a really nice rug.  However I've refrained from toting along a too many creature comforts that might overwhelm the truck battery, and I've never brought out a blender for margaritas.  No, sir.

The wireless tools are predictable; laptops with specialized wireless cards, ominous-looking antennas, and a decent magnetic GPS to stick on the roof.  When choosing a wireless PCMCIA card or a replacement MiniPCI card for one's laptop, sensitivity is as important as output power.

Generally one large omnidirectional antenna and one serious directional antenna will do the trick for 2.4-GHz work (802.11b or .11g), but more may be necessary for alternate frequencies (5GHz for 802.11a) or more aggressive attacks.  While some favor the Yagi-style directional antenna for their impressive ray-gun or phallic appearance, I'm a fan of equivalent high-gain flat panels (PDF format) for sheer portability and practicality.

Antennas on tripods are handy for fine-tuning when the truck is parked in an odd spot, but it's more stable to tape or strap them directly to the wall.  Many rental vans have wooden tie-down rails along the inside. It's good to keep in mind that the desire to have a signal source for each available computer should not override basic safety concerns such as making sure there's adequate space around and no people or other obstructions in front of high-gain antennas.  Significant radio frequency energy is not something to be trifled with.

Choosing good coaxial cable is something I learned from Uncle Lloyd.  Even strong signals may be almost lost over a long pigtail, while LMR-400 (PDF format) or equivalent -- the standard half-inch-thick stuff provided by most wireless outfitters -- is so stiff and unwieldy that it may pull out connectors or tug a laptop off a desk.  For a mobile setup, I prefer to dispense with thick cables and pigtails entirely; LMR-240 or similar medium-sized cable with custom connectors or adapters provide low signal loss and portability without having to be duct-taped down every few inches.

Basic networking is often overlooked, and can make for long days.  It's generally considered poor form to bogart bandwidth from a convenient unsecured wireless access point while performing a security assessment of an adjacent network. Bring your own. For back-office connectivity, GPRS, 1xRTT or comparable service is slow but usually adequate, and a low-power Ethernet hub is handy to share one system's connection to the internet and the home office. Sharing the connection over an 802.11 wireless connection would be a silly thing to do.

The most important item, as any seasoned penetration-tester will confirm, is a get-out-of-jail-free letter, preferably signed by a C-level officer for the organization being probed. Each team member ought to have a copy in his or her pocket, and another copy taped to the inside wall of the truck in a visible spot where one can point a terrorist-addled security guard or local peace officer who's unsnapped his holster. Half a roll of gaffer's tape keeps everything in place; don't forget to tape the laptops down to the table for truck-conducted wardriving. 

When the crew settles into their re-covered Barcaloungers, we're ready to roll.  I'm always surprised at large companies that don't bat an eye at large trucks situated in front of the CEO's window, trolling the alleys, or parked in the fire lane all day long.

There's always debate in the wireless security community about assessment software, and there are many good choices.  Excellent commercial products are available, such as Network Chemistry's RFprotect Mobile and AiroPeek from Wild Packets, but I find that the open-source tools KisMAC and the Remote Exploit Auditor's CD give me the most effective and expedient results.

As the name implies, KisMAC is an OS X application inspired by Kismet, the stalwart if not user-friendly Linux wireless security tool. Behind its innocuous interface, KisMAC includes a plethora of survey, data capture, GPS support, and modern key cracking tools. One of my favorite features is the ability to export wireless node findings and locations in KML format for import into the standalone Google Earth application.  Not only does the map detail make for visually stunning presentations that spur executives into actually funding security remediation (gasp!), the terrain elevation information makes it easier to explore anomalies from directional signals and obstructions.

The Auditor CD is actually a collection  of open-source tools for all manner of network security projects, far more comprehensive than can be covered here.  Among others, it provides Kismet with a graphical interface, the inscrutable Wellenreiter, airodump, a host of cracking and exploit gear, and even Bluetooth tools.  If entree is gained or there's work to be done on the wired side, the Auditor CD provides a wealth of other network security tools at one's fingertips.

One of the nicer aspects of the Auditor CD is that it comes as a "live" bootable Linux distribution based on Knoppix. It supports a wide range of wireless cards, and it'll run on just many commodity laptop models without any installation woes.  While building one's own Gentoo-based wireless survey system from the kernel up may be somewhat more appealing than mumblety-peg on slow days in the office, a bootable distribution is king in the back of a cold truck.

We listen and gather data; probe and prod.  We drive, we circle, we sit, we do it again.  Sometimes we find interesting flaws in a corporate wireless network. Other times it's difficult to maintain professional composure when faced with silly configurations or creative new debacles. The pattern of our analysis is driven by collective experience and the areas of assessment we're expected to document, but that's another story.

When we're all done, we pack up our gear, clean out the truck, donate the furniture back to the thrift store (pre-priced!) and head home for final analysis and documentation. Now, about those margaritas...

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.