LinuxPlanet - Print - Foil Wireless Poachers and Have Fun Doing It (Part 2)

Foil Wireless Poachers and Have Fun Doing It (Part 2)

By: Carla Schroder
Wednesday, January 31, 2007 01:35:35 PM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/6350/1/

Killing and Slaying

Last week we learned some fun ways to mess with the minds of wireless freeloaders, and introduced ourselves to some methods for finding out who is on our networks. Today we're going to learn some different ways to kick unwanted visitors off networks, and how to see exactly who is lurking on our airwaves.

Who says computer geeks are mild-mannered, non-violent wimps? Why, we have all manner of violent commands at our fingertips. Like whowatch, kill, tcpkill, and cutter. Ph34r us!

whowatch is for monitoring logins in realtime, and kicking users off specific hosts. Suppose you're logged into the fileserver in an SSH session, and you want to see who else is logged in. Just run the whowatch command as root. You'll see an ncurses display showing a list of users:

2 users: (1 local, 0 telnet, 0 ssh, 1 other)    load: 0.02, 0.12, 0.12

(init)         pinball   tty2      -bash
(kdm)          carla     :0      -

Oy, you exclaim! Pinball should not be logged into the fileserver! Pinball should not even have a login account on the fileserver! This is very bad! What shall I do?

First of all, stop panicking. Use the Up/Down arrow keys to navigate to Pinball, then hit Enter. You'll see this:

2 users: (1 local, 0 telnet, 0 ssh, 1 other)   load: 0.12, 0.36, 0.29
(init)         pinball   tty2
 6972   - /bin/login --
 6975    `- -bash

Select the line with the lowest process number by using the arrow keys, and hit Ctrl+K to kill Pinball. Then you'll see this:

2 users: (1 local, 0 telnet, 0 ssh, 1 other)   load: 0.29, 0.34, 0.28
(init)         pinball   tty2
User logged out

Ha. Take that, Pinball. The Enter key toggles between the selected user and the list of users. Press F9 to expose the top menus. Obviously you now need to figure out how an unauthorized user was able to log into your server, repair the breach, and look for rootkits or other nasties. You might even need to rebuild the whole system. But at least you found out there was an intruder, which is always a good thing to know.

Finger

whowatch is usually a separate installation, so you might not have it when you need it. In that case, the venerable finger command is included on virtually all Linux distributions by default, so you don't have to install it separately. finger also displays a list of logged-in users; just run the finger command without options to see them:

$ finger
Login     Name       Tty      Idle  Login Time   Office     Office Phone
carla     carla     *:0             Jan 15 11:22
pinball             *tty2        5  Jan 15 15:02

Now use the ps command to find pinball's PID (process ID) via her tty:

$ ps auwx |grep tty2
pinball   7748  0.0  0.5   5464  3056 tty2     S+   15:02   0:00 -bash

Then run kill -9 7748 to give Pinball the heave-ho. ps is also found on every Linux, so if you find yourself on a desert island with no whowatch you can still evict bad users.

Getting Tough With tcpkill and Cutter

These are fine when all you need to do is boot bad users off certain computers, but what if you want to fling them off your entire network? For that you need tcpkill installed on your wireless access point. tcpkill is part of the dsniff suite of network-cracking utilities. dsniff is a useful network administrator tool, and it also has much power for evil. You should be familiar with it, because you can count on the bad guys knowing it intimately.

First you need to know the IP address of your unwanted visitor, which you can find with nmap. Run this as root from any host on your subnet:

# sudo nmap -sP 192.168.0.*

This will find all active hosts on your network, and report hostnames, IP addresses, and MAC addresses. Naturally you'll need to know which ones belong. Then clobber the ones you don't want with tcpkill:

# tcpkill -9 net 192.168.0.25

The cutter command makes it even easier. Just do this:

# cutter 192.168.0.25

tcpkill and cutter see both wired and wireless users. To zero in on wireless users, use Kismet.

Also, there's an easier, holistic way to keep wireless freeloaders and bad people out. Just upgrade all of your wireless gear to WPA2-compliant devices. Authenticate and encrypt every single bit that travels over your airwaves. It's easy and it works. Don't forget that even when you are successful at preventing intruders from entering your network, it's still trivially easy for them to sniff wireless traffic. WPA2's AES-based encryption will foil this.

Hunting Down Rogue (Not Rouge) Access Points With Kismet

Unfortunately, locking down your wireless access point won't prevent your users or other nefarious persons from setting up their own access points. Even if they don't have nefarious intent, a poorly-secured WAP won't care about good intentions. This is where Kismet more than earns its beans. With Kismet you'll find all access points and wireless users in your vicinity.

When you run Kismet you won't have network connectivity on the wireless card doing the monitoring. So, if you need be to on the network at the same time you'll need a second network interface.

Start up Kismet. Hit s to change the sort order, so you can run some commands. Try f for "first time seen." You'll see a list of detected wireless networks. If there are a lot, scroll up and down the list with the arrow keys and hit t to tag the ones you want to focus on. The tag will appear as an asterisk to the left of the network name. Then you can sort out the tagged ones.

Select one network with the arrow keys, then hit i to see detailed information on it. c displays a list of clients, and n and p take you to the next or previous network. Hit h at any time for contextual help. q quits the current window or popup.

Now that you know how to find access points and users, you can use the violent commands to knock them off your network if you need to do so. Tracking them down physically is a another problem. Kismet measures signal strength, so it will help you find them.

Kismet Drones

As usual, I'm out of room before I'm out of ideas, so here are some quick hints for folks who want to set up a stationary Kismet drone network. This is a slick way to monitor your site all the time, without having to wander around looking like a war-walking dork. Drones need two NICs: one wireless interface for monitoring, and a second NIC for sending data to the server. Wired interfaces are good for this, though you can use wireless if you really really want.

Configure the drones in /etc/kismet/kismet_drone.conf. Configure them just like we did for kismet.conf last week. Then configure the drone with a different TCP port than your Kismet server with tcpport=3510, or some such. Check /etc/services to avoid duplication. Then configure allowedhosts= for your network segment, like 127.0.0.1,192.168.1.0/24.

Finally, configure /etc/kismet/kismet.conf on the Kismet server to pick up the drone's output:

source=kismet_drone,192.168.1.50:3510,drone1

Use one line per drone. The name field, as we learned last week, can be anything.

You are now well on your way to wireless wizardry, and foiling the forces of darkness who would dare to trespass and misuse your wireless network.

Resources

Thank you to the LinuxChix gang for help with this article!
Kismet documentation
Tips and Tricks for Linux Admins: Discover, Map and Store
Foil Wireless Poachers and Have Fun Doing It
dsniff Frequently Asked Questions

This article originally appeared on Enterprise Networking Planet, a JupiterWeb site.