sniffwifi

Just another WordPress.com site

Archive for March 2011

Three Things I Like: AirMagnet WiFi Analyzer

with 4 comments

Readers of this blog may have noticed that my frequency of blogging has waned in 2011, so it’s time for some self-motivation. I’m going to start a series of blog posts titled, “Three Things I Like” and apply to all sorts of WiFi (and possibly even some non-WiFi) topics. I’m going to start with a darned good WiFi sniffer, Fluke Networks’ AirMagnet WiFi Analyzer.


AirMagnet WiFi Analyzer from Fluke Networks has long been the leading WiFi protocol analyzer by market share. It has also long been one of my favorite tools to use when helping others learn about WiFi. Here are three things that I like about AirMagnet WiFi Analyzer.

  1. Pre-made device filters. When you navigate to the Infrastructure screen (fourth icon from the left in the navigation menu that sits in the far lower left hand corner of the screen), any time you click on an access point (AP) or station, the software immediately starts showing you statistics on frames that are traveling to or from that device only. This is a massive time saver, as in WildPackets OmniPeek or Wireshark, you have to create all filters manually.  I use this to attempt to isolate which station or AP is using low rates or experiencing high Retry percentages (the tell-tale signs that WiFi performance is middling or at some point will be). 
  2. The Find tool. No matter where you are in the AirMagnet WiFi Analyzer interface, you can always use the Find tool. Just right click on a device (it works best for APs, but you can try it with stations as well) and select Find. At that point you’ll be immediately sent to the WiFi Tools screen and into the Find tool. When you click Start you’ll see a signal meter become active. If you start walking around, the signal meter will help you find the location of the device you’re looking for. To make things even easier, try the Ubiquiti SR71-USB adapter with a directional antenna. Ed note: Long time AirMagnet trainer Keith Parsons commented that he prefers using omni-directional antennas because sometimes the back lobe coverage of a directional antenna can sort of confuse the Find tool. Keith has forgetting more about AirMagnet than most people will ever know, so I trust his advice here.
  3. The Diagnostics tool. The Diagnostics tool is similar to the Find tool in that you can launch it by right-clicking on any device anywhere in the software, but different in that it is more useful for stations than APs. The real usefulness of the Diagnostics tool to me is that you can use it to see a summary of the frames being sent during WiFi Protected Access (WPA) and WPA2 authentications. If you know what a Preshared Key (PSK) or 802.1X/Extensible Authentication Protocol (EAP) handshake is supposed to look like, you can use the Diagnostics tool to pick out anomalies that might reveal the source of your problem.
There you have it; three things I like about AirMagnet WiFi Analyzer. Next up: Chanalyzer 4. If you have a topic that you’d like me to do a Three Things I Like blog post about, email me at ben@sniffwifi.com

Written by sniffwifi

March 30, 2011 at 11:58 pm

Posted in Uncategorized

Get Personal, Gogo

with 5 comments

Last Sunday I took a flight equipped with Gogo in-flight WiFi so that I could work in an office with guest WiFi. The difference in security was stark, and Gogo should make changes to fix their poor (and, in my opinion, negligent) WiFi security.


Gogo in-flight WiFi is a service that I’ve blogged about before, but I feel compelled to mention it again because the security problems I complained about a year and a half ago are still there even as hacking knowledge and applications have grown. To recap Gogo’s poor security design:

  • Open System authentication with no encryption is used for Gogo’s WiFi security. This means that applications like Firesheep allow hackers to do sidejacking attacks, like the one that seems to have been performed on Ashton Kutcher recently. 
  • Captive Portal authentication is used to charge passengers for Internet access. This means that anyone who knows how to spoof a MAC address (link is for XP, but the same can be done in Vista/Win7 via the Networking and Security Center) can wait until someone buys Gogo’s service and then use the purchaser’s MAC address to piggyback on the service for free.
  • Since Open System authentication is used, any device that sends Probe Request frames when looking for WiFi networks will become vulnerable to an Evil Twin AP attack from applications like KARMA the moment the device leaves the plane.
All of these problems have been well known, but the implicit justification from providers of paid WiFi service is that, A) the network must use Open System authentication in order to allow the largest possible number of users to potentially pay for the service, and B) users can always setup their own SSL encryption using services like WiTopia (there are other SSL services, but I tout WiTopia because I use it and I’ve been very happy with their service and support). This justification is balderdash. On the latter point, it is negligent (in my opinion, to the point where they deserve to be legally liable) for such a large service provider to force their users to provide their own way of even the most basic security. I think that this would be akin to Target allowing their parking lots in Milwaukee to ice over in the winter, and then posting signs telling their patrons to bring a bag of salt so that they don’t break their elbow on their way in to buy a Tassimo
The point about Open System authentication being necessary to allow the largest number of potential customers to access Gogo in-flight WiFi used to be a good one, but the guest network at the office I’m working at this week is evidence that Gogo needs to change. In this office the guest WiFi uses a Preshared Key (PSK) passphrase that matches the SSID of the network. This makes it easy for guests to remember and even allows people to make an educated guess if they miss the official notification that the guest WiFi network is using encryption.
WPA/WPA2 Personal (the Wi-Fi Alliance’s name for PSK-based networks) solves the fundamental problems with Gogo’s current security plan. To wit:
  • Applications like Firesheep don’t work because each station negotiates a unique AES-CCMP or TKIP encryption key after association. Even if an attacker knows how to decrypt frames in a protocol analyzer, it wouldn’t work with Firesheep because Firesheep uses promiscuous mode and protocol analyzers use monitor mode when decrypting frames.*
  • The captive portal would be more secure because each station MAC address would be tied to the AES-CCMP or TKIP encryption key that was negotiated after association. If an attacker spoofed a MAC address, they would get no access because the attacker would lack that unique encryption key.
  • Stations that send probe request frames would be more secure from Evil Twin AP attacks because they would not automatically associate to an open network that uses the SSID of “gogoinflight”. Evil Twin AP attacks would still be possible, but only if the attacker is able to create an Evil Twin AP that uses the correct PSK passphrase. Currently KARMA does not do that.
Do the right thing, Gogo. Add a PSK passphrase of “gogoinflight” to the SSID of “gogoinflight” and then run the captive portal after users have created that AES-CCMP or TKIP encryption key. Or heck, just create a second SSID of “gogosecure” with a PSK passphrase of “gogosecure” so that we at least have the option of thwarting Firesheep attacks and you have less MAC addresses that can be spoofed. There may be some initial pains while that type of change is made, but it’ll probably cost less than a lawsuit if anyone ever loses anything really important while connecting to your poorly (and, I would argue, negligently) secured WiFi service.
*Decryption can be done by attackers if PSK passphrase (WPA/WPA2 Personal) authentication is used, but it can only be done on one station at a time and currently available software only does it to TKIP-encrypted frames (meaning not AES-CCMP encrypted frames). -I was wrong. CommView for WiFi and Wireshark both now decrypt AES-CCMP encrypted frames. That’s what I get for avoiding mediocre sniffing software. 🙂

Written by sniffwifi

March 17, 2011 at 6:21 pm

Posted in Uncategorized