Getting Practical About Wireless Security, Part 1: Building a Wireless Sniffer with Perl

By Peter Seebach
2005-04-13


Looking at a Specific Network
To learn more about a network, you must associate with it. In fact, the wireless firmware, by default, looks for the best available access point; this assumption sounds great, but is likely to result in problems if the available access points are not all associated with the same network. To attach to a specific network under NetBSD, specify a nwid option to ifconfig.

After you've done that, you can rerun wiconfig without the -D option. This produces a fair amount of information; in fact, unless you're using a very tall terminal, it won't all fit on the display at one time. The simplest solution is to limit the number of lines displayed, letting the user scroll up and down through the list.

It might make sense to distinguish between card status (for instance, the MAC address field) and status specific to a network, but that takes up a lot more screen real estate. So, for now, the script just displays all the output from wiconfig. Listing 3 illustrates a partial sample output:

Listing 3. Network status

 

NIC serial number:                      [ 12420929J05J ]

Station name:                           [  ]

SSID for IBSS creation:                 [  ]

Current netname (SSID):                 [ testnet ]

Desired netname (SSID):                 [  ]

Current BSSID:                          [ 00:02:dd:01:5a:44 ]

Channel list:                           [ 1 2 3 4 5 6 7 8 9 10 11 ]

IBSS channel:                           [ 3 ]

Current channel:                        [ 3 ]

Comms quality/signal/noise:             [ 92 154 2 ]

Thanks to the magic of threading, this data can be updated dynamically. In the sample code there's a thread that reruns wiconfig regularly (about every second), repopulating the array with current data, which is displayed by the display thread.

Unfortunately, there's more data than will fit on the screen at one time. To fix this, the code supports an offset value, which can be adjusted using the arrow keys, to let the user scroll through the items:

Listing 4. A window into a larger array

[...]

} elsif ($status =~ /^Showing/) {

	$count = 0;

	foreach $key (sort keys %network) {

		++$count;

		if ($count > $offset) {

			printw("$key: $network{$key}\n");

		}

		last if (($count - $offset) > $LINES - 8);

	}

	if ($count == scalar keys %network) {

		$max_offset = $offset;

	}

} [...]

Broadcast SSID

One issue often brought up for wireless security is the broadcast of the SSID (Service Set Identifier), also known as the network name. Curiously, there is some debate about the benefits and tradeoffs of broadcasting your SSID. Many sites point out that disabling broadcast of the SSID makes it a little harder for potential intruders to detect or attach to your network. Some versions of Windows®, however, automatically prefer to find a network that is broadcasting its SSID. Apparently, current versions no longer do this; at least, not unless you set the "Automatically connect to non-preferred networks" option.

The ways in which you can disable SSID broadcast, and even whether this is possible, varies depending on your hardware. Most access points have a configuration program of some sort through which this setting is available. If you do use this, be sure you know what the SSID is that you are no longer broadcasting; you can't join a network without knowing its SSID.

In general, disabling SSID broadcast is a defense against casual intruders, not against serious attempts to sniff your network. The one perhaps relevant case is that it will keep people from accidentally attaching to your network. You might think this is a ridiculous concern, but I've had it happen. One of the coffee shops I like to go to for free wireless access is in a building with some offices, which themselves contain wireless networking gear. On one occasion, I ended up inexplicably attached to the wrong network. Any private traffic on that company's network is not only wide open to people looking for it; it's wide open to people who sat at a table thirty feet too far from the coffee shop.

Entering an SSID by hand
On the other hand, you might want to look at a network without a broadcast SSID. That gives you an interesting user interface challenge: what's a good way to let the user enter an SSID? The only case where the user is likely to need to enter an SSID is one in which the user already knows it -- say, a fixed installation. Therefore, the SSID value can be added to the configuration file. If the configuration variable ssid is set, the program will start by associating with that network and displaying statistics about it.

At this point, the program is starting to serve a couple of divergent purposes. One is to sniff around for networks and report on them, another is to monitor a specific network. In general, the monitoring of a specific network implies that a lot more information is stored in the configuration file.

Tutorial Pages:
» A Lightweight Program can Illustrate Wireless Security Issues and Techniques
» Rough Consensus and Running Code
» Setting up the System
» Scanning for Networks
» Looking at a Specific Network
» Access to the Program
» Wrapping Things Up
» Resources


First published by IBM DeveloperWorks

Related Tutorials: » Secrets of the Wireless Elite: Alexei Polyakov » Linux Wireless Networking » A New Strategy of Language Pack Management for Wireless Apps » Open Source Wireless Tools Emerge » Challenges and Opportunities in Mobile Games » Running Linux on an iPAQ