Category Archives: Information Security

Posts about information security.

Wireless Site Survey With Free Tools

Leave a reply

Between characteristics of modern buildings (block walls, walls with metal studs, cement floors, and the like) and the large numbers of wireless networks assailing the airwaves, setting up a reliable wireless network can be a real challenge. Site surveys — where technical architects / network administrators examine a given physical environment’s suitability for wireless networks — can really help identify potential WiFi issues.

Unfortunately, many of the tools traditionally employed for performing wireless site surveys cost thousands of dollars. Not to worry! Here, we’ll discuss how to perform a wireless site survey for 802.11 networks using free open source tools so you can build a rock-solid set-up, regardless of budget. This article focuses on the tools, rather than the process of WiFi surveys. For information on the process, check the links at the bottom of this article.

WiFi Analyzer is a tool that basically turns your Android phone into a spectrum analyzer. With it you can easily see what access points are nearby, the channels they are on, and their signal strength — all through clear, colourful real-time graphs. This is one of the fastest and easiest ways to see what’s going on in the airwaves near your home or office and how to avoid interference on your network. WiFi Analyzer can be found on Google Play (https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en) for free (the program is ad-supported).

To take things a step further, you can break out Kismet, a powerful wireless utility that can not only do all of the above but possesses an array of capabilities for wireless security auditing as well as intrusion detection. Kismet is in the repositories of several popular Linux distributions and you can download the source from http://www.kismetwireless.net as well. The links page of project web site also includes a link to a Windows port of the front-end to Kismet. If you just need to use the tool occasionally and don’t have a Linux machine handy, I recommend using a Linux live CD or VM. Heck, maybe you can use this as an excuse to take the plunge into the awesome world of Unix.  ;)

To use Kismet for a simple wireless survey, you really only need to use a few of its features. Let’s go through running Kismet for this purpose, step-by-step.

* Launch Kismet as root. If you are using Ubuntu, type “sudo kismet” at the command line. If you are using pretty much any other Linux distribution, become root by typing “su -” [enter] at the command line. Then type “kismet”.

* After pressing the space bar to dismiss the introduction message, we are presented with the list of networks found so far. As Kismet is a passive discovery tool, it will find more networks as time passes and it observes traffic moving across them.

* Pressing “h” brings up the help window, which explains commands and what the items on screen mean. We’ll go through most of those relevant to wireless auditing here to make it easy for you to get started.

* A quick check to look at first is the statistics window. Press “a” and it appears, presenting a nice high-level view of what Kismet is detecting – number of networks, packets transmitted, maximum packet rate, and the all important channel usage. There is even a nice graph showing the concentration of APs on each channel. A table with exact numbers of APs on each channel is to the right. With this, we can get most of the information we need to see how crowded a given area is with wireless access points and what channels everyone is on. If you need to dig deeper, read on.

* Sort the results by typing “s.” Then select how you would like them to be sorted. I usually sort by channel when doing a wireless survey. You actually must sort in some fashion in order to actually navigate the list of access points (APs).

You may see an item in the list labelled “Probe Networks” (often marked with a “G” in the network type (T) column because they are in a group, otherwise, they are labelled as the “P” network type). This shows wireless clients in range attempting to access networks that may or may not be in range. So they are not really relevant in a wireless audit. The probe networks detection feature is more useful for security auditing. It can reveal information about networks that are intended to be hidden, among other things. To see these networks, highlight the Probe Networks entry and press the space bar.

Other common network types are ad-hoc networks (designated by an “H” in the type column), and access points (designated by an “A” in the type column). Of course, APs are the type of networks you should be paying particular attention to. Ad-hoc networks are typically of less concern in wireless surveys because they are usually temporary.

There you have it! With WiFi Analyzer and Kismet, you can perform a very effective wireless network survey without spending a dime (as long as you have an Android device already). Once your survey is complete, chose the least crowded channel available.. It’s best to chose one that is farther away from occupied channels. For example, if other networks are on channel one and five, it is best to set your network to channel three, if it’s open. Then, you should have a relatively interference-free connection to your network. You can often check signal-to-noise ratios on your AP (especially if you have an AP running DD-WRT. See www.dd-wrt.com). Kismet also reports noise but it always seems to be 0 when I check it, which is not right.

More information on wireless surveys and the tools covered here are available via the links below.

 

WiFi survey process links:

http://en.wikipedia.org/wiki/Wireless_site_survey

http://www.wi-fiplanet.com/tutorials/article.php/3761356

http://www.computerworld.com/s/article/9004641/Six_steps_to_a_wireless_site_survey?taxonomyId=15&pageNumber=2

 

WiFi Analyzer Google Play page: https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=e

Kismet project page: www.kismetwireless.net

Picalo: An Open Source Competitor to ACL and IDEA

1 Reply

Reprinted from my post at the now defunct IT risk management blog at UBC Sauder School of Business.

I in BAIT 512 in the Sauder MBA program, I saw the references to ACL in the syllabus for data analysis in auditing. It mentions we have to go to the computer lab to use ACL because it is a (very expensive) commercially licensed product. Being the open source person I am, I thought to myself, “What a shame. I bet there is at least one open source package that does the same thing really well for free.” After all, the number of outstanding open source security and network auditing tools out there is enormous (Nmap, tcpdump, netcat, Wireshark and others spring to mind). Lo and behold, a query to Google instantly brought me to Picalo.

Picalo is a really well done Python GUI application for Mac, Linux, and Windows that does (as far as I can tell at this early stage) everything ACL and IDEA do and it includes some things those programs might not have such as a library of pre-written scripts for a variety of types of analysis, and a Python framework for writing your own scripts (rather than using some specialized language that only works with one application). Picalo is very well documented with lots of tutorials and information on the applications operation and internals. Developers can also download and use Picalo’s Python libraries as an engine for their own applications.

I downloaded the Python source for Picalo and ran it on my laptop (an Ubuntu Linux machine) and was able to get to work right away using sample data and the library of analysis scripts. Users of Mac and Windows will also be able to get ip and running quickly by using the available installation packages for those platforms.

It was easy to see how powerful a tool like this is for identifying fraud, inconsistencies, or anomalies in an organization’s records. There is a lot going on here with such a capable tool-set and one could probably spend a lot of time learning the ins and outs of it. I haven’t tried this yet but it appears you can even use Picalo as an interface to a running database and run queries against it. That said, Picalo makes finding errant payments to vendors, suspect withdrawals, information gaps, and the like much easier and efficient than they would be using a manual or spreadsheet-driven technique. If you have any interest in IT or financial auditing, I highly recommend taking it for a spin.

Mike

Links:
http://www.picalo.org/ – Main Picalo project page
http://www.picalo.org/download/IntroductoryManual.pdf – Picalo introductory manual
http://www.picalo.org/?page_id=7 – Download Page
http://en.wikipedia.org/wiki/Computer_Aided_Audit_Tools – a brief Wikipedia article on auditing tools
http://blog.bitengine.ca – my blog, contains other articles on auditing tools as well.

…but what about those printers?

Leave a reply

Reprinted from my post at the now defunct IT risk management blog at UBC Sauder School of Business.

Given that we’re still not quite to the elusive paperless society so many futurists and technologists have promised us, our offices and homes have printers. Some of our offices have lots of printers and lots of different printers at that.This brings me to an interesting question. Have you considered your printers in your information security practise?

Now at this point, you might be laughing at that idea. After all, printers print things and not much more aside from the odd print/scan/fax/copy multi-function unit, which also doesn’t sound very scary. Right? The truth is, however, that printers are really computers in and of themselves and (if network printers) run network services, such as web serving, FTP, telnet, and others, in addition to their regular printing duties.

The rationale mentioned above leads many organizations to pay very little attention to their printer fleets and how they are configured and managed, which can be quite dangerous.

What’s dangerous for them is fun for hackers auditors. So let’s take a quick look at how it’s done! The following is a bit technical though not vital to getting the gist of this post so feel free to skip it if you wish.

Printers can be found on a given network with a simple port scan. Here’s what such a port scan looks like using the popular Nmap utility:

nmap -sS -p515,9100 192.168.1.*

What this line does is instruct Nmap to scan the entire 192.168.1.0 network for services listening on ports 515 or 9100 — ports commonly used for print services.

Once the printers are identified, one can begin probing further. Another scan against the printers for port 23 will reveal if telnet is running. If it is, you can attempt logging in to the printer via telnet. If you can get in via telnet, you can do all sorts of things, as detailed here and elsewhere, such as find information printed, faxed, or copied for a start.

If FTP is running on the machine, it can be used to store and serve files. As such, printers are used for hiding files on the network or run a somewhat stealthy file sharing server.

Most network printers these days have web servers for web based configuration and they are all too often left with no password protection enabled or have only default passwords. Once in to the web configuration console, any of it’s settings can be changed (many of these things can be changed via the telnet command line interface as well).

Lots of shenanigans are possible in exploiting printer security like changing the display and banner messages, putting paper clip images on every page so people think there is a paper clip stuck in the machine, or sending scan jobs to random users.

While much of the issues I have already mentioned are not major, in and of themselves, what’s really concerning is that compromised printers can also be used to map out entire networks or as a proxy for attacks on other devices.

So what can you do to protect yourself from threats involving printers? Mostly standard security measures apply. The web panels for them can be locked down with authentication. Some can even be centrally managed. Disable unnecessary services running on the devices (as with all devices), log and restrict access to administrative functions to only those who absolutely need it. Ensure any ports the printers are listening on are not accessible from untrusted networks (like the Internet). Most importantly, have a comprehensive information security plan at your organization that includes all information systems components and educate everyone on what it means as well as why it’s important.

The real lesson here is that security and risk management is really a way of thinking and operating. It is a continual process that encompasses the entire organization — devices, software, facilities, process, and (most of all) people, rather than a concrete set of rules or a software package that one can buy. Such a comprehensive posture toward security and risk is how these less obvious vulnerabilities can be found and properly mitigated.

 

Much of the information presented here was based on my experience in systems administration and security auditing. However these sources were also used in informing and writing this article:
http://www.schneier.com/blog/archives/2006/08/printer_securit.html
http://www.itbusinessedge.com/cm/blogs/weinschenk/its-not-exciting-but-n…
http://www.irongeek.com/i.php?page=security/networkprinterhacking

Cisco VPN with Certificate Authentication on Ubuntu

Leave a reply
A quick web search on the subject reveals the Cisco VPN client for  Linux kinda sucks. Installing and configuring it is a pain and often problematic and sometimes it causes kernel panics/system lock-ups. Nevertheless, it is (as far as I can tell, anyway) needed if you have to authenticate to the VPN with certificates. Here’s how it’s done.
First, update your system:
  • sudo apt-get update && sudo apt-get dist-upgrade
  • Then, download the Linux Cisco VPN client.
  • Download this patch. BTW: I did not write this patch and though I am sure it will not harm your machine or data since I use it myself, use it at your own risk.
  • Unpack the client source code:
  • tar -xvzf vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz
  • Copy the patch file to the VPN client install directory:
  • cp vpnclient-linux.2.6.31.diff vpnclient
  • Apply the patch:
  • cd vpnclient
  • patch < vpnclient-linux.2.6.31.diff
  • sudo touch /usr/src/linux-headers-2.6.[whatever-version-you're-using]-generic/include/linux/autoconf.h
  • Run the install script:
  • sudo ./vpn_install
  • The VPN client should now be installed and you should not have gotten any errors during the compile.
  • Start the VPN client service:
  • sudo /etc/init.d/vpnclient_init start
  • Copy your PCF files (Cisco VPN profiles) to /etc/opt/cisco-vpnclient/Profiles/
  • If you have any VPN connections that do not use certificates, now is a good time to try them.
  • To connect to a VPN with Cisco  VPN client:
  • vpnclient connect profilename (where profilename is the file name before the “.pcf” bit.
  • Make sure that works. If it doesn’t troubleshoot until you get that part working before proceeding.
  • Copy the certificate (pfx file) to to /etc/opt/cisco-vpnclient/Certificates/
  • Import your certificate:
  • cisco_cert_mgr -U -op import
  • Then follow the prompts.
  • After importing, ensure the certificate appears in your certificate store:
  • cisco_cert_mgr -U -op list
  • If your certificate doesn’t appear in that list, try again, noting any errors.
  • Try connecting to your VPN with certificates now.
  • vpnclient connect profilename (where profilename is the file name before the “.pcf” bit.
  • When prompted for a password, make sure you are using the password you set for the certificate locally, *not* the one you may have set when you created the certificate, otherwise, it won’t work.
Hopefully it works! If not, the unfortunate thing is that the Cisco VPN client has very vague error messages. Make sure the certificates are in the store and you have not gotten any errors during the installation/configuration process. If you did, read onward for using the logging facility and see if you can piece together the symptoms, error messages, and log events for clues as to what might be wrong.
.
.
If you have problems, here’s how to use the Cisco VPN client logging facility. It’s a pain to use if you don’t know how so this should save you from banging your head against the wall a bit.
At the command line, enter:
  • ipseclog filename  – where filename is any file name you choose.
Then tail filename on another virtual terminal
  • tail -f filename
Then try connecting or importing — whatever you are having trouble with — in another virtual terminal. Go back to the terminal where you are tailing the log file and see what it says. That might give you some clues as to what the problem might be.
.
.
The following sites/blogs were very helpful in drafting this post:
http://leifmadsen.wordpress.com/2009/11/27/cisco-vpn-client-on-ubuntu-karmic-9-10/
http://ilapstech.blogspot.com/2009/09/cisco-vpn-client-on-karmic-koala.html
http://www.lamnk.com/blog/vpn/how-to-install-cisco-vpn-client-on-ubuntu-jaunty-jackalope-and-karmic-koala-64-bit/