Just another site

Archive for November 2010

KisMAC and AirPort – A Match Made in Heaven (Almost)

leave a comment »

I love free stuff. I love it even more when it works. And while I am a natural skeptic of the usefulness of free software (thus contradicting a timeless programmer’s joke), the ability to run KisMAC-ng with an AirPort Extreme interface in Monitor mode is quite nice. Not as nice as it could be if a few little tweaks were made to the software, but for a free product it remains the best WiFi sniffer for Mac OS X.

Way back in January of this year (seems further back than that, which is interesting since years are supposed to feel faster as you get older, right?) I wrote about using a combination of KisMAC, Wireshark and a DWL-122 802.11b/g USB adapter to do WiFi sniffing when running Mac OS X. Six months later I wrote about sniffing with a Mac again, this time focusing on using a virtual machine. The basic gist of those updates was that running Windows on your Mac is the best way to sniff, but if you must run OS X then you can at least capture 802.11 b/g frames if you have a DWL-122 adapter.

802.11n adoption has exploded in 2010 (a good topic for a future blog post, I think), so the usefulness of an 802.11b/g adapter to capture is starting to wane. It is true that the majority of enterprise-class WLANs still have a preponderance of 802.11b/g devices in use, but if you run into that odd 802.11n laptop, tablet or phone, you’ll regret restricting yourself to 802.11b/g. This made KisMAC with a DWL-122 a limited option. I could use it on airplanes and other public spaces that are still have yet to upgrade to 802.11n, but for money sniffing KisMAC had all but been retired.

My use of KisMAC changed when I switched from a MacBook Pro to a MacBook Air recently. (As an aside, the move from HDD to SSD is like the move from SD to HD television: I’ll never go back.) Though I now have to keep my iTunes library stored on an external drive due to my scant 64 GB of disk space, the MacBook Air’s AirPort drivers now support Monitor mode. (As another aside, I’ve been told that some newer and older MacBook Pros had AirPort drivers that supported Monitor mode, but I could never get it to work with the non-unibody model I bought back in June, 2008.) Since the MacBook Air boasts an 802.11n (that’s MIMO-802.11n, not an iPad-esque 65 Mbps 802.11n) AirPort interface that can be placed in Monitor mode, I can now capture 802.11n traffic with the free combination of KisMAC and Wireshark. See:

Now, notice that there are some limitations here. The supported rates read as if this were an 802.11b/g capture. In addition, KisMAC remains a 2.4 GHz-only sniffing tool, so if you need to analyze a full throttle (meaning 5 GHz) 802.11n network, you’re out of luck. Still, it’s nice to able to see how the Retrys are looking on my home WiFi network without having to boot into Windows or run a virtual machine. (Below 0.01% Retry bytes, if you’re curious. Also, reason #177 why every 2.4 GHz WLAN should have a RTS Threshold of 0.)

As always, for professional analysis I’m still avoiding Mac OS X, but if you’re just looking to play around with some WiFi frame captures on your Mac, the KisMAC/Wireshark combination has become much more useful.


Written by sniffwifi

November 26, 2010 at 9:27 pm

Posted in Uncategorized

Firesheep and Monitor Mode

with 2 comments

The Internet wireless community was set aflutter last week when Eric Butler, a freelance developer from Seattle, introduced Firesheep, a Firefox extension that is advertised as a way to perform sidejacking attacks over unencrypted wireless networks. The software is super slick and all, but what interests me is the way it handles frame capture. 

For those who may have missed it, Firesheep is a Firefox extension that allows users to view web sessions that are active on the channel. It works via a wired or wireless channel, but the prospect for wireless viewing received much more press because, A) nobody uses hubs anymore, and B) wireless vulnerabilities always get much more press.

The tool is slick and, as far as I can tell, a better name for it would be, “Screw Facebook”. From the unscientific tests I’ve done, Firesheep users are able to gain limited access to other people’s accounts on a number of popular sites, but the real eye opener is the ability to view and even post on other people’s Facebook walls. This is a problem for Facebook users who frequent unencrypted WiFi networks, of course, but all of that has been dissected elsewhere. My interest is in how Firesheep does its sniffing, and more specifically the differences between Promiscuous mode and Monitor mode.

Promiscuous mode is used by Firesheep, so let’s start with that. Many network interfaces can be put into Promiscuous mode. In fact, most NICs, both wired and wireless, may use it without having to load any special drivers. When an interface is put into Promiscuous mode, the network connection remains active. The difference between an active Promiscuous mode connection and a normal connection is that received frames that have a destination MAC address that fails to match the network interface’s MAC address are kept instead of dropped. In the case of Firesheep, these kept frames are then examined with the goal of recovering information from cookies and other web-related information. The major limitation of Promiscuous mode is that the interface must have a connection to the physical network in order to make a capture.

Monitor mode, on the other hand, is used by sniffers like OmniPeek and AirMagnet. A number of network interfaces can be put into Monitor mode, but it usually requires a custom driver to make that happen. Some interfaces also cannot be placed into Monitor mode at all. For years Broadcom-based NICs were unable to be placed into Monitor mode due to Broadcom’s policy on restricting the release of their driver code, but today that stance has softened (for example, KisMAC-ng can now be used with a Broadcom-based Apple Airport Extreme interface in Monitor mode1). When a network interface is placed into Monitor mode, it loses the ability to maintain an active connection. This is the major limitation of Monitor mode. This limitation is offset by having the ability to sniff on any physical channel even without a connection. From a hacker’s perspective, this means that an interface running in Monitor mode can sniff secured networks, not just open ones.

For the purposes of what I do, Promiscuous mode is useless for the most part. It may be interesting to see Facebook walls in Firesheep, but to really analyze wireless networks I need lots of things that only Monitor mode can provide. This includes:

  • 802.11 Management and Control frames
  • Physical layer information such as rate, signal and channel
  • The ability to scan multiple channels quickly
  • 802.11 headers, for information like sequence numbers and Retry flags
I do recommend that folks check out Firesheep and also take a look at Promiscuous mode in Wireshark2, but for professional-grade WiFi sniffing you’ve got to get your wireless NIC into Monitor mode.

1I need to do a blog post about using KisMAC-ng with the Apple Airport Extreme adapter. That’ll be added to the list along with the other half dozen posts that are in queue.

2Wireshark works with a Monitor mode-based interface in Windows by using an AirPcap USB adapter. The Linux version of Wireshark allows for a number of other wireless NICs to be put into Monitor mode.

Written by sniffwifi

November 23, 2010 at 9:54 pm

Posted in Uncategorized