Wireless Infrastructure Device Identification

In this phase, the auditor will start doing device and protocol analysis by looking at layer 2 information using various tools.

Kismet is commonly used for performing device identification. As described earlier in this chapter, Kismet is an 802.11 layer-2 wireless network detector and sniffer, with some intrusion detection capabilities. It will work with any WNIC that supports raw RF monitoring (RFMON) mode. As the WNIC goes, so goes Kismet—it can sniff 802.11b, 802.11a, and 802.11g traffic depending on the WNIC's radio capability. Figure 8-21 shows Kismet in action.

Kismet's operation is primarily controlled via its configuration file, Kismet.conf. The most important configuration setting in that file is the one specifying the capture source to Kismet. A capture source in Kismet is a network interface that provides wireless frames to the Kismet sniffing engine. It tells Kismet what specific type of WNIC to use because different drivers often use different methods to report information and enter monitor mode. The various WNIC/driver combinations supported and their associated capture source entries can be found inside Kismet's README file in the "Capture Sources" section.

Kismet allows the auditor not only to identify the SSID (referred to in Kismet documentation and GUI as the ESSID) of the various APs that are detected, but also to obtain a whole list of information relating to each AP detected, e.g., BSSID, the channel the AP is transmitting on, signal strength, encryption scheme used, IP range identification, supported rates, and wireless clients connected. With this information, the auditor can now identify the lists of APs that belong to the organization via their ESSID, BSSID, encryption scheme used, and sometimes their signal strength information. However, auditors should not rely purely on the information provided by Kismet's interface, just as they should not for any other tool. They should learn to read the packet dumps created by Kismet and determine the accuracy of Kismet's output by cross-checking the info in the Kismet display with the actual frames captured and written to file.

Other than Kismet, Airodump-ng (part of the Aircrack-ng suite of tools at http://www .aircrack-ng.org/doku.php) can also be used to cross-verify that the key information as

Spsiion fdrt Vtpw Hocsfcmfliks Pettings I

■ <IID 6üid> I <11D Süid> , Steven21 linkAY«_SES„4S843 lizzy vibhal-hume

T W Ch Packts Flags IP Range

| Al.KKT: Probe response with O-length SSID detected from DO:If!:Hli:G3:!)!■':OK i ALERT: Probe response with O-length SSID detected fron QQ:16:B6i63:DF:0r I ALERT: Probe response with 0 length SSID detected from QO:16:B6:63:DF:OF I ALERT: Probe retpuribw with 0-lurid ill SSID delected fron 00:16:B6;63:DF:0F L-Battery: AC 100»--

I Elapsd I L00:00:51J

| Al.KKT: Probe response with O-length SSID detected from DO:If!:Hli:G3:!)!■':OK i ALERT: Probe response with O-length SSID detected fron QQ:16:B6i63:DF:0r I ALERT: Probe response with 0 length SSID detected from QO:16:B6:63:DF:OF I ALERT: Probe retpuribw with 0-lurid ill SSID delected fron 00:16:B6;63:DF:0F L-Battery: AC 100»--

identified by Kismet is indeed accurate and reliable. This is an example of using one tool to validate the observations obtained by another.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment