Ce papier de Joshua Wright discute des applications de d?couverte de r?seaux pour qu’ils soient pris en compte dans les systemes de detection d’intrusions. Vous pourrez les differentes signatures que peuvent avoir ces logiciels etc …
Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection
11/8/2002
Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.
Where traditional intrusion detection systems can be location in a functional area (DMZ, inside a firewall, outside a firewall, etc), a data collection agent (agent) capturing 802.11 frames must be installed in the same service area of each wireless LAN we wish to monitor.
In order for wireless clients to locate a network to join, the IEEE 802.11 specification made an accommodation for clients to broadcast requests for available networks. Applications like NetStumbler and DStumbler utilize this and other scanning techniques to discover wireless LANs. Since these techniques are part of the 802.11 specification, we should expect to see their use for legitimate network discovery. Fortunately, the scanning techniques used by NetStumbler and DStumbler that are presented here are anomalous
when compared to the 802.11 specification and can be detected among otherwise legitimate network scanning traffic.
Through lab experimentation and the analysis of "hostile" network activity, I have found several fields of interest that are pertinent to the analysis and discovery of WLAN discovery applications.
A sequence control field is used to accommodate fragmentation of 802.11 frames. Two bytes in length, the first 4 bits (low order) are used to uniquely identify each fragment with the remaining 12 bits used to uniquely identify the frame based on a modulo 4096 counter (Gast, 41). The sequence number portion of the sequence control field is analogous to its upper- layer counterpart, the IPID field.
The control type and control subtype fields utilize two bytes of the 802.11 frame control structure to identify data, manage ment and control frames used to support the robust operation of 802.11 networks. Common type/subtype combinations include 00/0100 (probe request), 00/0101 (probe response), 00/1000 (beacon) and 10/0000 (data). As many of the remaining combinations of type and subtype are reserved for future use, we will likely see a good deal of experimentation to elicit unique responses to unexpected frame types.
A client seeking to discover available wireless networks through active scanning will transmit a probe request frame to the MAC layer broadcast address (“FF:FF:FF:FF:FF”).
In addition to setting the destination MAC address to the broadcast address, the SSID is set to a value of “0×00” in probe request frames. The last station to communicate in an IBSS network is responsible for responding with the network SSID to probe requests. In infrastructure networks, the access point (AP) is responsible for responding to probe requests with its configured SSID, unless otherwise directed.
Part of the 802.2 LLC frame encapsulation, the OUI field consists of three bytes used to uniquely identify a vendor as part of a convention for locally administered protocol identifiers. This value will commonly be set to all 0’s for encapsulated Ethernet frames.
The data payload of LLC frames may contain unique information for use in identifying the network discovery application generating the traffic.
The LLC protocol type field specifies the upper-layer protocol type. Common examples include 0×0800 for IP traffic, 0×0806 for ARP and 0×888e for 802.1x authentication.
Part of the SNAP header, the LLC protocol ID number is used to specify the protocol type used with the particular OUI specified in the frame.
confidentiality, the traces provided as examples are from lab-generated traffic, although each traffic pattern has been identified in multiple dissimilar environments.
their ESSID using a cloaked ESSID configuration. Furthermore, the active scanning method requires the client to communicate actively with the AP, giving the intrusion analyst the opportunity to discover the intrusion.
RF Monitoring An increasing number of WLAN discovery applications utilize a completely passive method of WLAN discovery known as radio frequency monitoring (RFMON). A client with a wireless card that is configured in RFMON mode will be able to capture all RF signals on the channels to which it is configured to listen.
traffic seen on the network. Some of the more advanced tools provide full DHCP packet dissection and reporting, as well as reporting Cisco Discovery Protocol (CDP), BOOTP and SNMP traffic.
application would report to its user, the attacker, that it is seeing a DHCP server issue addresses in the noted range. An attacker, curious to discover what services these hosts are offering, might try to obtain a valid network address by requesting a DHCP address or by specifying an "unallocated" static address. It is likely that the attacker would then attempt to perform port scanning and/or host fingerprinting against all the hosts that were noted by the network discovery application as having received DHCP leases. An intrusion analyst would only need to monitor their network for signs of activity to the falsified network address advertisements and then capture traffic and generic RF traffic statistics about the attacker. Through the use of triangulation techniques, the intrusion analyst might even be able to establish the location of the assailant.
- Download: http://www.netstumbler.com/
- Source available: no
- Discovery method: Active Scanning/Probing
- Features: Simple install, GPS support, probes discovered AP for additional information
- Supported chipsets: Lucent
- Supported platforms: Windows, Pocket PC
- Author: Marius Milner
3.2.3 All your 802.11b are belong to us
3.3.0 intentionally blank 1
(data[4:4] eq 41:6c:6c:20 or data[4:4] eq 6c:46:72:75 or data[4:4] eq 20:20:20:20)
The following detect is taken from NetStumbler version 3.2.3 using a Windows 2000 host for
discovery.
Type/Subtype: Data (32)
Frame Control: 0×0908
Version: 0
Type: Data frame (2)
Subtype: 0
Flags: 0×9
DS status: Frame is entering DS (To DS: 1 From DS: 0) (0×01)
…. .0.. = Fragments: No fragments
…. 1… = Retry: Frame is being retransmitted
…0 …. = PWR MGT: STA will stay up
..0. …. = More Data: No data buffered
.0.. …. = WEP flag: WEP is disabled
0… …. = Order flag: Not strictly ordered
Duration: 258
BSS Id: 00:50:18:07:13:92 (ADVANCED_07:13:92)
Source address: 00:02:2d:52:cb:27 (Agere_52:cb:27)
Destination address: 00:50:18:07:13:92 (ADVANCED_07:13:92)
Fragment number: 0
Sequence number: 3057
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func = UI (0×03)
000. 00.. = Unnumbered Information
…. ..11 = Unnumbered frame
Organization Code: Unknown (0×00601d)
Protocol ID: 0×0001
Data (58 bytes)
0000 00 00 00 00 41 6c 6c 20 79 6f 75 72 20 38 30 32 ….All your 802
0010 2e 31 31 62 20 61 72 65 20 62 65 6c 6f 6e 67 20 .11b are belong
0020 74 6f 20 75 73 2e 20 20 20 20 20 20 fe ca ba ab to us. ….
0030 ad de 0f d0 4f 45 43 45 46 46 ….OECEFF
MiniStumbler will not send a data probe to a discovered AP.
- Name: DStumbler, bsd-airtools
- Download: http://www.dachb0den.com/projects/dstumbler.html
- Source available: yes
- Discovery method: Active Scanning/Probing or Passive RF Monitoring
- Features: Reports APs with default configuration, GPS support, reports additional information
about discovered networks (WEP enabled, beacon interval, node detection)
- Supported chipsets: Any that are supported by host OS, Prism II for Passive RF Monitoring
- Supported platforms: NetBSD, FreeBSD, OpenBSD
- Author: h1kari
including support for additional card chipsets; additional reporting on discovered networks (number active nodes, beacon intervals, default SSIDs, supported data rates); and reports a partial detect for WEP key lengths.
control 0×0040) using low-numbered, modulo 12 sequence number values. After receiving a probe response from an AP, DStumbler will attempt to authenticate, and then associate with, the AP. The authenticate frame uses a consistent sequence value of 11 (0×0b), and the following association request uses a sequence value of 12 (0×0c). This pattern will repeat until DStumbler does not receive probe response frames from AP.
or (wlan.seq eq 12 and wlan.fc.subtype eq 00)
IEEE 802.11
Type/Subtype: Authentication (11)
Frame Control: 0×00B0
Version: 0
Type: Management frame (0)
Subtype: 11
Flags: 0×0
DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0)
(0×00)
…. .0.. = More Fragments: This is the last fragment
…. 0… = Retry: Frame is not being retransmitted
…0 …. = PWR MGT: STA will stay up
..0. …. = More Data: No data buffered
.0.. …. = WEP flag: WEP is disabled
0… …. = Order flag: Not strictly ordered
Duration: 258
Destination address: 00:e0:63:82:19:c6 (00:e0:63:82:19:c6)
Source address: 00:02:2d:0a:01:de (00:02:2d:0a:01:de)
BSS Id: 00:e0:63:82:19:c6 (00:e0:63:82:19:c6)
Fragment number: 0
Sequence number: 11
IEEE 802.11 wireless LAN management frame
Fixed parameters (6 bytes)
Authentication Algorithm: Open System (0)
Authentication SEQ: 0×0001
Status code: Successful (0×0000)
IEEE 802.11
Type/Subtype: Association Request (0)
Frame Control: 0×0000
Version: 0
Type: Management frame (0)
Subtype: 0
Flags: 0×0
DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0)
(0×00)
…. .0.. = More Fragments: This is the last fragment
…. 0… = Retry: Frame is not being retransmitted
…0 …. = PWR MGT: STA will stay up
..0. …. = More Data: No data buffered
.0.. …. = WEP flag: WEP is disabled
0… …. = Order flag: Not strictly ordered
Duration: 258
Destination address: 00:e0:63:82:19:c6 (00:e0:63:82:19:c6)
Source address: 00:02:2d:0a:01:de (00:02:2d:0a:01:de)
BSS Id: 00:e0:63:82:19:c6 (00:e0:63:82:19:c6)
Fragment number: 0
Sequence number: 12
IEEE 802.11 wireless LAN management frame
9 of 13
Fixed parameters (4 bytes)
Capability Information: 0×0011
…. …1 = ESS capabilities: Transmitter is an AP
…. ..0. = IBSS status: Transmitter belongs to a BSS
…1 …. = Privacy: AP/STA can support WEP
..0. …. = Short Preamble: Short preamble not allowed
.0.. …. = PBCC: PBCC modulation not allowed
0… …. = Channel Agility: Channel agility not in use
CFP participation capabilities: No point coordinator at AP (0×0000)
Listen Interval: 0×0001
Tagged parameters (9 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 1
Tag interpretation:
Tag Number: 1 (Supported Rates)
Tag length: 4
Tag interpretation: Supported rates: 1.0 2.0 5.5 11.0 [Mbit/sec]
DStumbler supports the ability to passively detect networks using Prism II cards in RFMON mode, which does not leave a noticeable fingerprint.
- Download: http://www.remote-exploit.org/
- Source available: yes
- Discovery method: Passive RF Monitoring
- Features: GPS support, reports default ESSIDs, embedded statistics engine for collection of signal strength, packet counters, and other related information. Wellenreiter is also the only
tool that employs an ESSID brute-force attack script.
- Supported chipsets: Lucent, Cisco, Prism II
- Supported platforms: Linux, experimental BSD
- Author: Max Moser
second 802.11 network card, including ESSID brute- forcing and automatic network association. It is through these features that we are able to identify Wellenreiter-generated traffic.
‘this_is_used_for_wellenreiter’");
system("$fromconf{ifconfig} $fromconf{interface} down");
my $brutessid = shift (@g_wordlist);
my $mactouse = build_a_fakemac;
system("$fromconf{ifpath} $fromconf{interface} hw ether $mactouse");
print STDOUT "
I test now the essid: $brutessid";
system("$fromconf{iwpath} $fromconf{interface} essid $brutessid");
system("$fromconf{ifpath} $fromconf{interface} up");
return ($true);
wlan_mgt.tag.interpretation eq “this_is_used_for_Wellenreiter”
The following detect was generated using Wellenreiter v1.6 on a Slackware Linux workstation sing a stock 2.4.18 kernel:
Type/Subtype: Probe Request (4)
Frame Control: 0×0040
Version: 0
Type: Management frame (0)
Subtype: 4
Flags: 0×0
DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0)
(0×00)
…. .0.. = Fragments: No fragments
…. 0… = Retry: Frame is not being retransmitted
…0 …. = PWR MGT: STA will stay up
..0. …. = More Data: No data buffered
.0.. …. = WEP flag: WEP is disabled
0… …. = Order flag: Not strictly ordered
Duration: 0
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:40:96:47:e2:7d (00:40:96:47:e2:7d)
BSS Id: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Fragment number: 0
Sequence number: 3849
IEEE 802.11 wireless LAN management frame
Tagged parameters (37 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 29
Tag interpretation: this_is_used_for_wellenreiter
Tag Number: 1 (Supported Rates)
Tag length: 4
Tag interpretation: Supported rates: 1.0 2.0 5.5 11.0 [Mbit/sec]
0000 40 00 00 00 ff ff ff ff ff ff 00 40 96 47 e2 7d @……….@.G.}
0010 ff ff ff ff ff ff 90 f0 00 1d 74 68 69 73 5f 69 ……….this_i
0020 73 5f 75 73 65 64 5f 66 6f 72 5f 77 65 6c 6c 65 s_used_for_welle
0030 6e 72 65 69 74 65 72 01 04 02 04 0b 16 ff ff ff nreiter………
0040 ff .
Wellenreiter also uses randomized MAC addresses, in an effort to increase the level of anonymity for the attacker. Using a random MAC address does give the intrusion analyst an opportunity to detect “anomalous” MAC addresses, that is those addresses that utilize organizationally unique
identifiers for the first three octets of the MAC address that are unallocated by IEEE standards body, or MAC addresses that are allocated, but not used for 802.11 network cards. In order to support this effort, the intrusion analyst needs a database of MAC OUI prefixes that are expected to be received on the wireless interface of an AP. Supporting this effort, Colin Grady has established a database at http://www.unbolted.net/ where users can submit their MAC address prefixes, manufacturer name and card type. Since Wellenreiter network discovery is performed passively through the use of RFMON listening, we are unable to detect that portion of the application through layer 2 traffic analysis.
- Source available: no
- Discovery method: Active Scanning/Probing
- Features: Support for wireless networking built into operating system, simple procedure for
network scanning.
- Supported chipsets: Lucent, Cisco, Prism
0×0d 0×0a 0×0e 0×19 0×02 0×17 0×19 0×02
0×14 0×1f 0×07 0×04 0×05 0×13 0×12 0×16
0×16 0×0a 0×01 0×0a 0×0e 0×1f 0×1c 0×12
As 32 bytes is the maximum size of the SSID field and due to the randomness of the string, I believe this traffic pattern is the likely result of a bug in the implementation of wireless networking drivers supplied with Windows XP. For this reason, I believe Microsoft will likely remove this unique signature from future Windows operating systems, possibly “fixing” this bug in later patches and releases of the Windows XP operating system.
wlan_mgt.tag.interpretation[0:4] eq 0c:15:0f:03
The following detect was generated using Windows XP, service pack 1:
Type/Subtype: Probe Request (4)
Frame Control: 0×0040
Version: 0
Type: Management frame (0)
Subtype: 4
12 of 13
Flags: 0×0
DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0)
(0×00)
…. .0.. = More Fragments: This is the last fragment
…. 0… = Retry: Frame is not being retransmitted
…0 …. = PWR MGT: STA will stay up
..0. …. = More Data: No data buffered
.0.. …. = WEP flag: WEP is disabled
0… …. = Order flag: Not strictly ordered
Duration: 0
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:60:1d:f0:91:68 (00:60:1d:f0:91:68)
BSS Id: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Fragment number: 0
Sequence number: 20
IEEE 802.11 wireless LAN management frame
Tagged parameters (40 bytes)
Tag Number: 0 (SSID parameter set)
Tag length: 32
Tag interpretation:
�24 �03�21�04�21 �16
�16�31�02�27�31�02�24�37a�04�05�23�22�26�26
�01
�
16�37�34�22
Tag Number: 1 (Supported Rates)
Tag length: 4
Tag interpretation: Supported rates: 1.0 2.0 5.5 11.0 [Mbit/sec]
Conclusion
would be to provide some intrusion analysis and reporting features in today’s enterprise access points. With presumably simple software, the access point would be able to detect and report denial-of-service attacks such as (deassocia te and associate floods), the presence of previously
undetected access points (including fake advertisements generated by tools such as FakeAP), and the evidence of traffic signatures, such as those presented in this paper. It is the author’s opinion
that the adoption of such features would provide a significant advantage over competing products in the enterprise 802.11 marketplace.