Foil Wireless Poachers and Have Fun Doing It (Part 1) - page 2
"I Could Encrypt It or I Could Have Fun"
Some admins think that using frightening SSIDs (service set identifiers) scares freeloaders away. Like FBI_FieldOffice, Honeypot, YouHaveBeenHackedHAHAHA, or Mordor. I think it's silly, but it does no harm as long as your real security is sound. Sometimes psychology is more powerful than technology--proof of this is how I cured my snoopy neighbor of spying on me with binoculars. Every time I spied on him with my binoculars, all I saw was him looking back at me. So I hung up a picture of a giant eyeball with the caption "Hello Neighbor! I C U!" in my window. Haven't had a problem with him since.
Tips and Tricks for Linux Admins: Discover, Map and Store shows a number of ways to see who is actually using your network. If they have gotten as far as getting an IP address, you can hunt them down and kick them off. Then figure out how they got on in the first place.
The tricky bit with wireless LANs is anyone within range can easily intercept and sniff your packets. They don't need a physical connection to your network, and they don't need any special expensive gear. Wireless sniffing is cheap and easy. Which is why I nag about using encryption and authentication. WPA2 is easy and it works. Don't cry about having to buy new gear; locking the door is a lot cheaper than recovering from an intrusion.
Kismet is the wireless sniffer of choice for ace Linux geeks, because it is undetectable and because it finds everything. Use it to find rogue (not rouge!) access points, rogue users, and to view your site the way an intruder sees it.
There are two ways to use Kismet: on a laptop as you wander around your site, or you can set up a network of Kismet spies that report back to a central server. Kismet is easy to use as long as you have a wireless NIC that supports
rfmon, or raw monitoring. Read the Kismet documentation for a list of supported WICs.
Most Linux distributions include Kismet, so it's just a
yum install kismet or
apt-get install kismet away. Before you fire it up for the first time, you'll need to edit
/etc/kismet/kismet.conf. First uncomment this line, and add your user name to it:
Then modify the
source= line for your wireless network interface. It needs
source=type,interface,name. The Kismet readme has the information you need for the
type field in the "Capture Sources" section. So for my Atheros A/B/G it looks like this:
This example monitors the B/G frequencies. The
name field is anything you want; in this example it's the hostname of my computer. Now you can open a terminal and run Kismet:
It opens into a ncurses interface. By default it starts in
autofit mode. You can't run any commands in this mode, so hit
s to change it to something else. Press
h at any time to see contextual help window,
q exits popups and the current window, capital
Q exits Kismet.
Even with just this little bit of fooling around with Kismet you should be both impressed and alarmed at what it finds. Come back next week to learn more excellent ways to use Kismet, and how to boot unwanted users off your network.