(C) 2003 Airscanner Corp. http://www.airscanner.
(C) 2003 Airscanner Corp. http://www.airscanner.com Sniff passwords from your Pocket PC As a network administrator, you want to protect your users' confidential data.
(C) 2003 Airscanner Corp. http://www.airscanner.com Requirements: Windows CE device running PocketPC 2002 Compatible wireless card Licensing: -- Free for personal (non-commercial) use. -- Corporate, Educational, Government, and Small Business/Home Office users must purchase an annual license within 30 days of installing the software (C) 2003 Airscanner Corp. Please ask permission before redistributing this software or user’s manual Version History Version 1.0 released April 30, 2003 Version 1.
(C) 2003The Airscanner Corp. http://www.airscanner.com Note: following document is more than a user’s manual; it is also our attempt to help educate you on the science of sniffing. We hope you will take the time to read this entire manual so that you will be better equipped to defend yourself and to audit your own wireless networks. 1.
(C) 2003 Airscanner Corp. http://www.airscanner.com demonstrate, sniffing a network properly take a solid understanding of how the various pieces of equipment and software work together in unison. 2.1 Requirements Sniffing a network is not as simple as plug and play. There are several requirements that must be met before a sniffer will operate, depending on the target data.
(C) 2003 Airscanner Corp. http://www.airscanner.com Installation of a sniffer on Linux usually requires no extra drivers other than those required for normal operation. The only exceptions to this are wireless sniffers, which require patches or a special driver. Ensure you read the sniffer’s documentation before installation to avoid hours of frustration. 2.1.4 Promiscuous Mode When a network card is manufactured, it is assigned a unique identifier known as a Media Access Control (MAC) address.
(C) 2003 Airscanner Corp. http://www.airscanner.com A switch, on the other hand, is an active device. It records the MAC addresses of each network card to which it is connected and creates an internal table of MAC to IP address rules to help control traffic flow. In other words, a switch will examine each packet header for a matching IP address. Once a match is found, the switch will pass the data to the port with the corresponding MAC address.
(C) 2003 Airscanner Corp. http://www.airscanner.com As a result, many sniffers have incorporated the use of filters to control and regulate the amount of, and type of, data that is collected and/or analyzed. If a sniffer uses a filter, data analysis can be easily narrowed down to just the information that is considered relevant to the job.
(C) 2003 Airscanner Corp. http://www.airscanner.com nature of networking, this would wreck havoc on any attempted communication sessions. To make this even more complicated, sniffing a wireless network in passive mode requires special drivers, or at the minimum a patch to existing drivers. 3. Practical Sniffing Now that you understand the many facets of sniffing, it is time to take a look at how you can benefit from Airscanner Mobile Sniffer™.
(C) 2003 Airscanner Corp. http://www.airscanner.com v1.1 card with Compaq's WL100NDS.dll driver may not work). 3.1.3 Installation Assuming you have met all the requirements, installation is a straightforward process. Follow the instructions provided and you should be scanning the airwaves in no time at all. 1.Download Airscanner Mobile Sniffer™ to your local PC 2.Sync your pocket PC device to your computer 3.Double click the Airscanner Mobile Sniffer™ setup .EXE 4.Click the [Next] button 5.
(C) 2003 Airscanner Corp. http://www.airscanner.com 6.MobileSniffer is the default install folder (unless you want to store the files elsewhere) 7.Click [OK] once the program is done installing 8. Important: On the pocket PC device, if you are warned about overwriting mfcce300.dll file, click the [No] button twice. If this file already exists on your, you do not need to overwrite it with another. 3.1.
(C) 2003 Airscanner Corp. http://www.airscanner.com The following will outline the usage features of Airscanner Mobile Sniffer™. It assumes you have Airscanner Mobile Sniffer™ installed and working properly (i.e., with the correct drivers). To use Airscanner Mobile Sniffer™, locate the MobileSniffer icon in your start menu and select it. After clicking it, you will see an adapter selection screen listing the network adapters that are installed on your pocket PC.
(C) 2003 Airscanner Corp. http://www.airscanner.com previous overview of promiscuous mode for more information about this mode). Typically, you will want to operate in promiscuous mode, which is selected by default. However, if your WNIC doesn't support promiscuous mode, or if you are only concerned with the data traveling to and from your device, you can select this option to only capture local traffic.
(C) 2003 Airscanner Corp. http://www.airscanner.com By default, filtering is not enabled when sniffing. However, if you want to narrow down the collected data to an exclusive protocol or device, you can use a filter. This option provides you with a quick method of enabling and disabling filtering. 3.1.5.2 Tools Menu The tools menu is focused on the operational functions of the Mobile Sniffer. In this menu, you can gain access to packet and traffic details, and more.
(C) 2003 Airscanner Corp. http://www.airscanner.com The details also include all of the information about the actual packet. Items such as time, length, MAC address, IP address, IP version, protocol, ports, packet flag status, sequence number and more are listed for your inspection. Note: While viewing details, you cannot operate in sniffer mode.
(C) 2003 Airscanner Corp. http://www.airscanner.com Capture to… This option allows you to define where on the pocket pc you want to save the capture file. Like the 'Save Packets to..' option, this will help you control where to store data to avoid overflowing the pocket pc's device. Start/Stop Capture In addition to the Start/Stop buttons on the Menu bar, you can also start and stop the program from the Tools menu. 3.1.
(C) 2003 Airscanner Corp. http://www.airscanner.com The following example filter could be used to monitor all HTTP requests coming from one IP addresses. This filter could be used to passively monitor a suspect to see if they are using a company WLAN to access pornography: Source IP is 192.168.1.10 AND Destination Port is 80 Note: Unless you are a law enforcement officer with a proper warrant, we do not recommend spying on your users.
(C) 2003 Airscanner Corp. http://www.airscanner.com However, if you want to capture data from a wired network, Ethereal will work quite well. 3.2.2.1 Requirements WinPcap: http://winpcap.polito.it There is one requirement for Ethereal on Windows: WinPcap. This program, available for free online, enables Ethereal to link right into the network card before the data is passed up to the network software and processed by Windows.
(C) 2003 Airscanner Corp. http://www.airscanner.com interface directly with the hardware installed in the computer. By allowing this, software writers do not have to work with poorly written or tightly managed library components, as they do in Windows. However, this increased functionality does come with its share of problems. Because of the nature of open source software, you can never be sure what is included in a package, or how it will work with a certain piece of software.
(C) 2003 Airscanner Corp. http://www.airscanner.com rpm –ivh filename.version.i386.rpm Installing Source Code This is not recommended for the complete beginner. However, if you have customized your system or want to play with the code, or are having problems installing the RPMs, the source code is available for download. The following is the typical procedure for compiling and installing source code. NOTE You will need a compiler installed.
(C) 2003 Airscanner Corp. http://www.airscanner.com a price. Therefore, do not be surprised if you get an error or two while installing these programs. To help, we have provided a few troubleshooting tips to ease the pain. Missing Files and/or Directory Errors If you receive an error relating to a file or directory that is non-existent, the problem can be solved by manually creating this directory or by creating a link to the necessary file.
(C) 2003 Airscanner Corp. http://www.airscanner.com equivalent of the hex data. This is the section that lets you actually peer into the packet and see what type of data is being transmitted, character-by-character. 3.2.4.3 Configuration Using Ethereal can be as simple as you want it to be. By default it comes with everything set up for full sniffing, and the only necessary setting is the selection of the network interface device.
(C) 2003 Airscanner Corp. http://www.airscanner.com The interface option must be set to the NIC currently installed and in operation. Note that in the example there are four options available. This list is from Ethereal as it appears when installed in Windows XP. For this operating system, the list contains the NIC by MAC address. Other versions of Windows create a list by pseudo-names (for example, cw10, PPPMAC, wldel48, and so on).
(C) 2003 Airscanner Corp. http://www.airscanner.com Once these settings meet your satisfaction, click the OK button to start sniffing. After you do this, you will see a small window open up that provides you with a running tally of the number of each type of packet collected. NOTE: The stats window only displays the common protocols. All others are lumped under the Other category, which will require further investigation. 3.2.4.
(C) 2003 Airscanner Corp. http://www.airscanner.com In this example, we will create a filter for AIM and Quake. Quake is a multiplayer game whose mastery is an essential prerequisite for any competent security professional. However, if you are a network administrator, you might desire a way to periodically monitor your network for Quake packets to make sure no one has set up a rogue Quake server. To do this, perform the following steps: 1. Click the Filter button. 2. Type Quake in the Filter Name textbox.
(C) 2003 Airscanner Corp. http://www.airscanner.com network. To facilitate this example, we simply sent messages to our own chat client. After a few sentences, we stop the capture and let Ethereal load the data into the packet display windows. At this point, we have a great deal of commingled data. How can we sort through this data to find our chat session? We could set up a filter; however, this would still leave us with numerous packets that we would have to piece together.
(C) 2003 Airscanner Corp. http://www.airscanner.com 4. Troubleshooting If you experience problems with Airscanner Mobile Sniffer™, please review the following symptoms to help guide your trouble shooting efforts: Unable to set mode. This error is given when the Mobile Scanner can’s set the WNIC in promiscuous mode. This is usually caused by the use of an unsupported WNIC or improper drivers. Error opening this adapter. Please “soft” reset your device and select another adapter.
(C) 2003 Airscanner Corp. http://www.airscanner.com When do I have to pay for Airscanner™ software? Corporate, Educational, Government, and Small Business/Home Office users must purchase an annual license within 30 days of installing the software. Please take the full 30 days to evaluate the software to ensure compatibility before purchasing a license. It is illegal to use Airscanner™ software beyond 30 days for business use without a paid license.
(C) 2003 Airscanner Corp. http://www.airscanner.com Software-specific FAQ: Is my network card supported? Airscanner™ Mobile Sniffer supports all known wireless networking cards and integrated WiFi such as the Toshiba e740 series -- and even the flawed IPAQ 5450 series to some extent (use the fix below to correct the reported problems in the 5450 hardware). They key is to select the correct adapter at program start-up.
(C) 2003 Airscanner Corp. http://www.airscanner.com Note that this method works only in non-promiscuous mode. Does your product work on the Toshiba e740 series? Yes, it works fine on the Toshiba e740 series, including promiscuous mode. As pointed out by Dataworm of PocketWarrior, you have to select the network adapter named EC2NDS1. Either select this adapter at program startup, or go to OptionsÆSelect Adapter from the program’s main screen.
(C) 2003 Airscanner Corp. http://www.airscanner.com What can I do with the data I collect? Mobile Sniffer is a great first level tool. It can provide instant access to important data; however, it is not a full-fledged analyzer. We recommended you try Ethereal for a deeper analysis, which is why our saved files are in this format. Ethereal is free and available at www.ethereal.com. It works wonderfully with Airscanner Mobile Sniffer packet session captures.