RE-cap: Tools for Detecting Wireless APs - from the wire side.

From: Isherwood Jeff C Contr AFRL/IFOSS (
Date: 06/11/02

From: Isherwood Jeff C Contr AFRL/IFOSS <>
To: 'Pen-Test' <>
Date: Tue, 11 Jun 2002 15:48:55 -0000

I've been getting some fantastic responses, but they all seem to be jelling
into this:

None of the "wireside" tools is mature or robust enough yet to be of
complete value. They can't give anyone a good enough sense of completeness,
that they can cover the bases and angles we need covered.

I have always used a multi-layered, multi-angled approach to all security
(it comes with the background, I'm ex-military with many years of service
after that as a private engineer for the DoD.)

Weather it be IDS, Vuln-assesment, Anti-Virus, System/network hardening or
Penetration testing... Any security person that relies completely on one
solution, or vendor is just spinning wheels, spending money and waiting for
a break in.

I WarDrive with several different systems, I WarDial with 2 diff rigs as
well, and have several layers of AV at different traffic points... The
theory being "What one vendor can't catch, hopefully his competitor will"

Nmap can spot over 600 different fingerprints... But like the blood and guts
forensic fingerprinters, there has to be enough of a print to base your
guessing on. I have a few Cisco APs set up, and I've talked it over with
Fyodor - Nmap can find these Aps... But the guy that set them up, knows what
he's doing, and their profile is so low-key that nmap cannot ID them.

Nor can xprobe... APTools can spot some of them, if I aim it at the IP and
tell it to look for an Aironet. The program isn't mature enough yet for me
to use on an Enterprise/campus level.

I've proven to co-workers that even War Driving isn't good enough, because
dependant on the building materials, and AP location, you might miss one or
two... And it only takes one.

Here's a summation:
Firewalls, firewalls, firewalls
I'm writing some scripts to work a "regular nmap & xprobe scan" into a
Doing the same with the ARP table / MAC Address IDs for comparison...
Keeping an eye on APTools and other possible scanners for future use...
Using SNMP capable scanners to watch for "Default configured" Aps...
Using Vuln Scanners to look for "Vulnerable" devices that I didn't put out
I'm inviting the company Air Defense to come show us what their product can
Did I mention Firewalls and VPns?
WarDriving... In case none of the above works... (at least it's a way to get
out of the office and get some sunshine right?)

I'll never get all of these things straighten out in time for my paper (due
in two weeks) but at least I know where to go, and what to cover (high over
view) as far as topics for the paper go.

All in all, a lot of work. There are several classes that rogue Aps can
fall into:

        Malicious Those that do NOT want to be found
or secured
        Well intentioned Those that don't understand the need
to be secured
        Clueless You can find these and secure them?

The last two are the most dangerous, Bob down in marketing who just wants to
work out at the picnic table on nice days, or Doris in accounting who likes
to take her laptop down to the conference room and work.

Thanks for all the input from everyone... I'll keep my eyes and ears open,
and send an update if anything new does actually pop up.

When I'm done with the paper (sorry I can't post it) I'll post some data on
the tools available (look at and yellowjacket in the meantime...)

  _____ - Senior Security Engineer-UNIX Sys AFRL\IFOSS

        "The art of war teaches us to rely not on the likelihood of the
enemy's not coming, but on our own readiness to receive him; not on the
chance of his not attacking, but rather on the fact that we have made our
position unassailable..."
                            - Sun-Tzu, The Art of War

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

Relevant Pages

  • Re: Defense in Depth
    ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
  • RE: Wireless Security for Home Users
    ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
    ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
  • RE: IDS is dead, etc
    ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
  • [Full-disclosure] TWSL2013-025: Arbitrary File Upload Vulnerability in Official Nmap Http
    ... Trustwave SpiderLabs Security Advisory TWSL2013-025: ... Arbitrary File Upload Vulnerability in Official Nmap ...