Putting the Gear Together: 802.11 Hardware

"You cannot fight to win with an unequipped army."

—Mei Yaochen

When reading other books somewhat related to wireless penetration testing or just simple wardriving, the suggested hardware choice is both limited and amusing. It creates the impression that only this particular laptop brand together with that specific PCMCIA card type are useful for these aims. In reality, much depends on the hardware chosen, but there are precise technical reasons for such selection that are never listed in these sources. These reasons include client card sensitivity in dBm, client card chipset, the presence of connector sockets for an external antenna, client card power emission and consumption level, laptop/PDA battery power life and compatibility with UNIX-like operational systems, and so forth. That said, practically any wireless client card and PCMCIA/CF/SD slot-containing mobile computer can be used for wireless hacking with some additional tweaking and different grades of efficiency. This is the main message of this chapter.

PDAs Versus Laptops

The first question that beginners ask before assembling their kit is whether a laptop or a PDA should be used for wireless penetration testing of any kind. Our answer is to use both if you can. The main advantage of PDAs (apart from size) is decreased power consumption, letting you cover a significant territory while surveying the site. The main disadvantage is the limited resources, primarily nonvolatile memory. The CPU horsepower is not that important here as we are not cracking AES. Other disadvantages are the limited amount of security tools available in packages and lack of Compact Flash (CF) 802.11 cards with standard external antenna connectors (we have yet to see one). However, Secure Digital (SD) and CF memory cards are getting larger and cheaper, external connectors can be soldered to the cards, and both Linux and BSD can be successfully installed on major PDA brands. In addition, CF-to-PCMCIA adapters or PCMCIA cradles can be used to employ your favorite PCMCIA card with an MMCX connector. PCMCIA cradles for iPAQs supporting two client cards and an auxiliary built-in battery to compensate for the additional power consumption by the cards are simply great.

When we talk about the use of PDAs in wireless penetration testing, we mainly mean Compaq's iPAQs and Sharp Zaurus. Wireless sniffers for other PDAs do exist; for example, the Airscanner Mobile Sniffer (Windows CE; free for personal use, downloaded from http://airscanner.com/downloads/sniffer/amsniffer.exe), and PocketWarrior (Windows CE; GPL, home page at http://pocketwarrior.sourceforge.net/).

However, if you want more than just network discovery and packet capture, you will need a UNIX-enabled PDA with a collection of specific tools we describe in the following two chapters. Sharp Zaurus comes with the Embeddix Linux preinstalled, with the main install-it-yourself alternative being OpenZaurus based on the Debian Linux distribution. Although iPAQs come with Windows CE by default, Linux distributions like Intimate, Familiar and OpenZaurus can be installed on iPAQs by anyone willing to experiment with open source security tools on a StrongARM platform. In fact, you can buy an iPAQ with Familiar Linux preinstalled from http://www.xtops.de. The common GUI for these distributions offered by Xtops is Open Palmtop Integrated Environment (OPIE). OPIE is similar to Trolltech's Qtopia used by the Embeddix distro on Zaurus. Another Linux PDA GUI alternative is the GPE Palmtop Environment, based on a GTK+ toolkit and running over an X server. Unfortunately, the peculiarities of installing Linux on iPAQs go beyond the wireless hacking book boundaries, even though we might include them in further editions. The best place to look for how-to information and help on this topic is http://www.handhelds.org/. Of note, IBM has produced an experimental 802.11 security testing software for iPAQs running Linux. More about this software suite can be found at http://www.research.ibm.com/gsal/wsa/.

Another possibility is running NetBSD to use the brilliant BSD-airtools suite and Wnet (if ported from OpenBSD 3.2). This requires more effort and knowledge than installing Intimate or Familiar, but isn't the pursuit of knowledge what hacking is really about? To find out more about installing BSD on your beloved PDA, check out the NetBSD mail list at http://handhelds.org/hypermail/netbsd/. If you decide to remain on the Windows CE side, the best idea is to get a copy of AirMagnet, Sniffer Wireless PDA version, or PDAlert. Neither solution is cheap, but that is to be expected from proprietary software.

Although a PDA running Linux or BSD can be turned into a very powerful wireless security auditing tool, the inconvenience of using a small keyboard allied to the price of the full kit (additional nonvolatile memory, PCMCIA cradle/CF 802.11 card, PDA-specific GPS device) and the time-consuming Linux/BSD installation (if not preinstalled) means that all but the most determined should stay away from PDA-only wireless security auditing. An additional issue is finding the 802.11a and now, 802.11g cards for PDAs, which are nearly nonexistent. However, there are YellowJacket and YellowJacket Plus suites for iPAQs designed for evaluating 802.11a WLANs and available from Berkeley Varitronics Systems (http://www.bvsystems.com/). Generally, Berkeley Varitronics produces a large variety of brilliant wireless site survey tools for a selection of protocols, although they come at a hefty price.

We have found a compromise in the "PDA vs. laptop" question: Use the PDA running a tool like Kismet or Wellenreiter and some signal strength monitoring software (e.g., wavemon or Wireless Monitor) for site surveys and rogue access point (or even user) discovery and the laptop loaded with the necessary tools for heavy-duty penetration testing.

As for which laptop to choose, just be sure your pick, as long as it can run Linux or BSD, has two PCMCIA slots and as much battery life as possible. The reasons for two and not one PCMCIA slots are explained when we come to certain man-in-the-middle attacks on WLANs in Chapter 8.

Antennas

Security-wise, antennas and amplifiers give an enormous edge to both the skillful attacker and defender. From the attacker's perspective, antennas give distance (resulting in physical stealth), better signal quality (resulting in more data to eavesdrop on and more bandwidth to abuse) and higher power output (essential in Layer 1 DoS and man-in-the-middle attacks). From the defender's perspective, correctly positioned antennas limit the network boundaries and lower the risk of network detection while reducing the space for attackers to maneuver. In addition, three highly directional antennas in conjunction with mobile wireless clients, running signal strength monitoring software, can be used to triangulate the attacker or a rogue wireless device. This is, of course, dependent on the attacker actually transmitting some data. A self-respecting wireless security company should be able to provide the triangulation service as a part of an incident response procedure. Unfortunately, this is not usually the case.

Before we provide suggestions on antenna use in wireless security auditing, a brief overview of antenna theory basics is necessary. If you are an RF expert you can safely skip the intermezzo and move forward.

The RF Basics: An Introduction to the Antenna Theory

There are two main characteristics in antennas: gain (or power amplification) provided by an antenna, and beamwidth (which shapes the antenna coverage zone). In fact, it makes sense to look at the zone of coverage as a third variable, because side and back beams of some antennas are difficult to describe in terms of beamwidth. You should always demand the antenna irradiation pattern diagram from the vendor to assess the shape of the antenna irradiation (if only approximately). A future site survey will show how closely the provided diagram corresponds to the truth. We have collected diagrams from some vendors in Appendix C for your convenience as well as an aid to understanding the distinctions between different types of antennas. Another often overlooked antenna characteristic is the antenna polarization, which can easily be changed by altering the antenna position. We cover the security significance of antenna polarization in Chapter 10.

An antenna's gain is estimated in dBi because it is referenced to an abstract isotropic irradiator, a fictional device that irradiates power in all directions (a star is an example of such a device). It is defined as passive because no power is injected by an antenna. Instead, the gain is reached by focusing the irradiated waves into a tighter beam. The beamwidth can be both horizontal and vertical; never lose the 3D perspective!

There are three generic types of antennas that differ by irradiation pattern and beamwidth and can be further divided into subtypes. These types include:

Omnidirectional antennas

Mast mount omni

Pillar mount omni

Ground plane omni

Ceiling mount omni

Semidirectional antennas

Patch antenna

Panel antenna

Sectorized antenna

Yagi antenna

Highly directional antennas

Parabolic dish

Grid antenna

Omnidirectional antennas have a 360-degree horizontal coverage zone and reach gain by decreasing the vertical beam. The irradiation pattern of an omnidirectional antenna resembles a doughnut with the antenna going through the doughnut's hole. The ground plane antennas (and some ceiling mount omnidirectionals with a ground plane) prevent the irradiation from spreading downward or upward. For the magnetic mount omnidirectionals loved by wardrivers, the car serves as the ground plane. A typical use of omnidirectional antennas is providing point-to-multipoint (hub-and-spoke) links for multiple clients or even networks, using semidirectional antennas for multiple connections to a powerful central access point hooked up to an omni.

Semidirectional sectorized, patch, and panel antennae form a "bubble" irradiation pattern spreading in 60 to 120 degrees in direction. They are frequently used to cover an area along a street or a long corridor; sectorized semidirectionals placed in a circle can act as a replacement for an omnidirectional, having the advantage of higher gain and vertical bandwidth (but at a higher price).

Yagis form a more narrow "extended bubble" with side and back lobes. A typical use for a yagi is establishing medium-range bridging links between corporate buildings as a very cheap alternative to laying fiber where the CAT5 with its 100 m limit for 100BaseT Ethernet cannot reach.

Highly directional antennas emit a narrowing cone beam capable of reaching the visible horizon and are used for long-range point-to-point links, or where a high-quality point-to-point link is required. Due to their usually high gain, directional antennas are sometimes used to blast through obstacles such as walls when no other alternative is present.

Sometimes the antennas take rather bizarre shapes (e.g., flag yagi), sometimes they are well-hidden from prying eyes (many of the indoor patch or panel antennas), and sometimes they look like fire alarms (small ceiling-mount omnis). Spotting wireless antennas is an important part of a site survey, which might help you determine the overall shape of the wireless network before turning on your monitoring tools. Pay particular attention to the back and side lobes, such as the ones in yagi's irradiation patterns; the network might span somewhere the system administrator without knowledge of RF basics might never expect it to be.

When selecting your antennas for wireless security audit, a decent omnidirectional and a high-gain, narrow-beamwidth antenna are the minimum. We usually use 12 dBi omni and 19 dBi grid directional, but you should pick the antennas that suit you best. An omnidirectional comes in handy when surveying a site, looking for rogue access points, analyzing traffic from several hosts positioned in different directions, and monitoring the area for unauthorized or suspicious traffic or interference. You should always keep in mind that with a higher gain the "doughnut" becomes flatter, and while using a higher gain omni you might not discover wireless hosts positioned below or above the coverage zone (e.g., hosts in the same building but on different floors). On the other hand, a lower gain omni might not be sufficiently sensitive to pick these hosts up. This is a possible case for using a semidirectional antenna (we use 15 dBi yagis). Alternatively, you can do a thorough scan with a narrow beamwidth directional, but remember both horizontal and vertical beamwidth planes! When it comes to the use of directional antennas, there are several obvious advantages:

You can check how far a well-equipped cracker can position himself or herself.
You can blast through walls and see how much data leaks through.
It is essential for trying out jamming and certain man-in-the-middle attacks.
It is vital for determining the attacker's position.
Some networks can only be discovered using a decent gain directional (or semidirectional). These include the WLANs on the top floors of very tall buildings.

There is considerable information (even in the popular media) on making your own antennas from Pringles tubes, empty tins, and so forth. Although it is a cool hardware hack and worth trying in your free time, we do not recommend using these antennas in serious commercial wireless penetration testing. Their beamwidth, irradiation pattern, gain, and some other important criteria, such as voltage standing wave ratio (VSWR; should be approximately 1.5:1) are rarely verified and the performance can be unreliable. Of course, there are cases when homemade antennas beat the commercially built ones by a large margin. Nevertheless, properly quantifying the do-it-yourself antennas parameters just listed is difficult and expensive, which makes defining and documenting your site survey results difficult. At the same time, it is easy to get a decent 2.4–2.5 or 5.15–5.85 GHz antenna for a very reasonable price (we recommend http://www.fab-corp.com, but there are many other affordable online WLAN antenna stores).