Whirl Wind 1 Copyright © 2007 by Futures, Inc.
Table of Contents TABLE OF CONTENTS ............................................................................................................................. 2 TABLE OF FIGURES ................................................................................................................................. 3 TABLE OF TABLES ................................................................................................................................... 4 WHIRLWIND .......................................
Table of figures Figure - 1 User Agreement...............................................................10 Figure - 2 Authentication Challenge ...................................................11 Figure - 3 Time Reference Choices.....................................................12 Figure - 4 Date / Time Set Instructions................................................13 Figure - 5 Storage Options ...............................................................14 Figure - 6 Storage Selection Menu.........
Table of tables Table - 1 Tested WiFi Cards .............................................................53 Table - 2 Tested WiFi Chip sets .........................................................54 Table - 3 Tested GPS Devices ...........................................................55 4 Copyright © 2007 by Futures, Inc.
WhirlWind The proliferation of wireless networks and mobile devices has untapped enormous new productivity potential for organizations that rely on corporate communications and rapid decision making. However, an increased level of security risks has been created as well.
Introduction Futures Inc. is a network security company headquartered in the Baltimore/ Washington, D.C. metropolitan area. The company has, and continues to provide leading-edge Information Assurance/Security products and services to commercial and government customers since 1996. In line with that vision, the security engineers and network analysts of Futures Inc. have developed another product for use in the security community – WhirlWind.
WhirlWind Overview The purpose of WhirlWind is to be a rapidly deployable wireless network monitoring/collection product that is small, simple, inexpensive, disposable, and all the time remaining invisible to the wireless networking environment. WhirlWind catalogues activity on a wireless environment to glean insight into the types and volumes of activity.
General Features Stealth WiFi Survey builds. Able to utilize just about any PC/Laptop with use of PCMCIA, USB, internal and mini PCI WiFi card. Use of GPS is optional, but recommended for DustDevil output file. Able to store data on USB/Firewire or internal storage device for analyzing data at a later time. DustDevil created specifically for converting WhirlWind datasets to mapping data sets, e.g., Google Earth™. Utilizes Kismet within build. Kiosk like environment.
WhirlWind – Platinum All the features of WhirlWind Gold. Ability to enable/disable GPS use for mapping. Ability to enable/disable collection of network traffic. Capability to utilize more than 1 WiFi device. The user has the ability to assign specific channels to cards, or assign channel hopping to cards. Testing has proven 14+ cards usable by the system at one time. 9 Copyright © 2007 by Futures, Inc.
Booting the system To boot the WhirlWind system, insert the WhirlWind CD-ROM and power on the system. Some systems may require you to reconfigure the BIOS to enable booting from CD-ROM. Upon booting the system with WhirlWind, there will be a user license agreement that the user must accept before WhirlWind continues the boot process. Please use the key to move from [Reject Agreement] to [Accept Agreement] and press or to continue.
Immediately after the User License Agreement is the authentication challenge. It will look like the following figure. Figure - 2 Authentication Challenge The first line contains the host system’s internal hardware clock date/time setting. The next 3 lines contain 10 groups of 4 characters each. These values have different content each time the authentication is presented. The bottom box is for the user to enter a response to the challenge. Asterisks (*) will be echoed in the place of characters entered.
The user is shown the following dialog and given the option to change the time value within the WhirlWind OS (Operating System). Altering the time on WhirlWind will not change the RTC chip value or the time on the underlying native OS. Figure - 3 Time Reference Choices The default answer is [No]. Press to proceed. If a change is needed, use the key to highlight the [Yes] button and press . The following screen illustrates setting of the OS time. 12 Copyright © 2007 by Futures, Inc.
Figure - 4 Date / Time Set Instructions The screen is self-explanatory. The input string will be processed when the [OK] button is selected. The next screen instructs the user to select a storage option, and the screen after that provides a menu for the user to select a storage device. Figure 5 indicates choices for selection: system memory, USB storage devices, firewire storage devices, and hard drive partitions.
Figure - 5 Storage Options Figure - 6 Storage Selection Menu For the purposes of this example, RAMDISK (system memory) is selected as the storage medium. Selecting other storage options will bring up other screens similar to Figure 7 except that the data will be non-volatile (Note: If a USB or 14 Copyright © 2007 by Futures, Inc.
other external storage device is chosen, it is recommended that the user NOT remove the device during WhirlWind operation; removal of the storage device without shutting down WhirlWind could result in the loss of collected data and/or cause damage to the filesystem of the device). The next screen shot confirms the storage area selection of RAMDISK.
Figure - 8 WiFi Device Selection (Bronze – Gold Versions) The recommended way to terminate a Kismet session is with “Q” = + in the main Kismet screen. Kismet will shutdown cleanly. Removal of a WiFi network adapter during collection will also cause Kismet to exit and return to the WiFi Device Selection screen. Also, it has been observed that some WiFi network adapters may cause the system to freeze/lock if removed, depending on the system hardware and WiFi device combination.
[TryAgain] or [Re-Identify Cards]: these options allow the user to place wireless cards in the system and have this screen refresh itself with new chipset or card count information [MultiChipset]: allows the user to utilize more than one chipset of cards at the same time. This is experimental because certain chipset combinations may cause the system to lock-up or freeze when multi-chipset configuration is performed.
Figure - 9 WiFi Chipset Selection Example #1 (Platinum Version) Figure - 10 WiFi Chipset Selection Example #2 (Platinum Version) Figure - 11 WiFi Chipset Selection Example #3 (Platinum Version) 18 Copyright © 2007 by Futures, Inc.
After completing the “WiFi Chipset Selection” screen, there are one of two paths the user will follow towards completing the WhirlWind Platinum setup process: Selection of a single chipset to be used: See section “WiFi Device Selection (Platinum Version)” Selection of MultiChipsets (experimental): See section “WiFi MultiChipset Selection (Platinum Version)” This section is introduced first due to the “WiFi Device Selection” being part of both paths.
The following options are presented to the user: Toggling the use of WiFi chipsets on/off. * (Asterick) means the chipset is enabled for use [OK]: Utilize the selected chipsets for use by the system. [BACK]: Return to the previous screen. [Re-Identify Cards]: Have the system re-identify all the cards in the system and refresh the current display with the updated information. This option should be used if a new card has been placed in the system that needs to be identified.
The following options are presented to the user: Toggling the use of WiFi cards on/off. * (Asterick) means the card is enabled for use. [OK]: Utilize the enabled cards for use by the system. [BACK]: Return to the previous screen. [Re-Identify Cards]: Have the system re-identify all the cards in the system and refresh the current display with the updated information. This should be used if a new card has been placed in the system that needs to be identified.
arrow keys. The user may enter any information they want into this window, but anything outside of bounds will be removed by the system prior to final assignment. Each channel assignment line is limited to 33 characters. This includes the channels being assigned and spaces between the assigned channels. A user may assign each card to a single channel in order to have cards locked onto a specific channel once kismet is started.
Following this screen, the user will be provided the “WiFi Card Channels Assigned” screen. WiFi Card Channels Assigned (Platinum Version) This will allow the user to see what the exact card-to-channel configuration of the system is going to be. If the user has any changes that need to be made, please select [Re-assign Channels] button in order to go back to the “WiFi Card Channel Assignments” screen.
Traffic Collection: This feature, when enabled, instructs the system to collect wireless network traffic. It is essential for the user to know that this feature may be illegal in their local jurisdiction. Please be aware of the local laws for the area you are enabling this feature. This feature was created to allow a system administrator to collect traffic against their own wireless network and test the security of the network. Futures takes no responsibility for the user violating the law.
After General Configuration (All Versions): After the user selects [OK] from the above screen, the system will adjust all configuration settings of the system as defined by the user and start Kismet. If Kismet fails to start, more than likely a given card failed to enter monitor mode for the system. If the WiFi card(s) entered monitor mode correctly, the user will see a screen similar to the following, followed by a Kismet screen similar to that shown.
Figure - 18 Kismet Start Screen Sample (No GPS – Platinum Version) Over the course of time, the Kismet screen may resemble something closer to: Figure - 19 Kismet Screen Sample Over Time (with GPS – Platinum Version) 26 Copyright © 2007 by Futures, Inc.
The recommended way to terminate a Kismet session is with “Q” = + in the main Kismet screen. Kismet will shutdown cleanly. Removal of a WiFi network adapter during collection will also cause Kismet to exit and return to the WiFi Device Selection screen. It has been observed that some WiFi network adapters may cause the system to freeze/lock-up if removed, depending on the system hardware and WiFi device combination. 27 Copyright © 2007 by Futures, Inc.
Console Displays Once the boot sequence has completed, the user will be able to access different screens via the console keys. The console screens provide additional data on the health of WhirlWind in its operations. Figure - 20 Console The next console (located with ) screenshot provides critical data on the GPS device that is being used. It is the application “cgps” which shows the state of the data coming from the GPS daemon (“gpsd”).
Figure - 21 CGPS display The “GPS Type” effectively identifies the receiver / protocol / firmware being used. This information is the primary way to identify differences between devices that appear similar, but whose performance is radically different. By pressing the key the user will be taken to the main data screen for Kismet (reference Figure 23 in the following Kismet section). This will happen automatically when Kismet starts. 29 Copyright © 2007 by Futures, Inc.
Kismet Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Many Internet web sites are devoted to tutorials on how to install and properly configure Kismet—in many cases, complex modifications to the Linux kernel are required to get Kismet to work.
POPUP WINDOWS h Help (What you’re looking at now) n Name current network i Detailed information about selected network s Sort network list d Dump printable strings r Packet rate graph a Statistics p Dump packet type f Follow network center w Track alerts x Close popup window Q Quit/Exit Kismet The panels interface supports displaying networks and clients detected by Kismet grouping of multiple networks, sorting of networks and clients, reporting the signal and noise levels of the wireless card, displaying p
WEP (W) flags show the type of encryption detected on the network. N No encryption detected Y Standard WEP encryption O Other encryption methods detected. See the network details for more information. SELECTING NETWORKS: The default sorting method is “Last Heard Descending”. This keeps the most recently active networks on the top of the display. Sort the network display by one of the other methods to select and group networks.
Figure - 22 Kismet Help Menu During the boot-up process, the user will select a WiFi device(s) for Kismet to utilize. Once the WiFi source(s) is identified and the card is placed in Monitor mode, Kismet launches. The opening screen of Kismet looks similar (colors may vary) to this: 33 Copyright © 2007 by Futures, Inc.
Figure - 23 Illustration of WiFi Sources Detected As Kismet starts, it begins to compile a list of all wireless networks within range of its wireless adapter. The first column displays the name of the wireless access point whose traffic is being collected (common names include “linksys,” “default,” or “”). Another particularly relevant column is the third column, labeled “W.” This column tells whether or not Kismet detects that the access point is using encryption.
Figure - 24 Access Point (AP) Information To escape this detailed view, press the “q” key (note the “q” will close out any pop-up windows in Kismet and return the user to the previous view).
To see the rate of wireless packets traveling the wireless environment, press the “r” key. Figure - 25 Packets Traversing WiFi Environment To view a live display of the types of packets (whether data frames, router management frames, etc.), press the “p” key. 36 Copyright © 2007 by Futures, Inc.
Figure - 26 Packet Information The display of the “Packet Type” information may be difficult to decipher. Recall, however, that every Kismet screen has “help.” To display a legend for the packet type information press the “h” key. 37 Copyright © 2007 by Futures, Inc.
Figure - 27 Sniffer Data In addition to cataloguing wireless network information, Kismet can also be used as a sniffer to intercept wireless network traffic. First select the wireless network of interest from the Kismet main screen, then press the “L” key to lock on the channel (note: this command is case sensitive, it must be an upper case “L” to lock the channel).
lock. This menu is scrollable by using the up and down arrow keys. Please note that the window only shows 3 of the cards at a time, and scrolling through the list is necessary to see all possible selections in the list Figure - 28 Kismet Selection Window Perform Locking (Multiple Card System – Platinum) Next, press the “d” key to begin to “dump” the contents of data packets to the screen. The following screenshot depicts an actual wireless environment. 39 Copyright © 2007 by Futures, Inc.
Figure - 29 WarDrive data (Platinum Version displayed) Sniffing a wireless network is a particularly useful way to identify who is using a network or for what purposes the network is being used (important steps if you’ve detected an unauthorized wireless network within the organization). Finally, one of the unique features of Kismet is the ability to detect a wireless access point’s SSID even if the access point is not broadcasting its name.
Figure - 30 SSID Dection Figure 30 displays what is shown in the information panel of Kismet. Figure 19 on page 24 displays (in blue) a decloaked network named “”. Kismet has many other features that are not covered in this document and will doubtless add more as the author has time. For further documentation on Kismet and its use, consult http://www.kismetwireless.net/documentation.shtml .
GPS Data Mapping The following display examples are produced by WhirlWind utilizing Futures’ DustDevil tool which extracts pertinent information to make .KML (Keyhole Markup Language). The resulting .KML file can be opened using the Google Earth™ application available at http://earth.google.com/download-earth.html. The viewing of WhirlWind output data is accomplished on a separate system with an Internet connection.
Storage and Operations Storage Early in the setup process, a selection was made as to where to store data being produced by Kismet. On that storage device, all the data produced during that boot is stored in a directory named with the date and time (Date-TimeGroup (DTG)) of the system boot. E:\WhirlWind\2007-10-25_13_17 = Oct 25 2007 1:17 PM Below is the content of that directory from a single boot, which involved starting and stopping Kismet 3 times (voluntarily) during the run.
There are 3 types of entities found in this directory. 1. Other sub-directories 2. Files created with each Kismet run: a. .csv, .xml, .network – default files b. .gps: i. Enabled by default on Bronze – Gold versions ii. if enabled by the user - Platinum version c. .dump: i. Not enabled on Bronze and Silver versions ii. Enabled by default on Gold version iii. If enabled by the user – Platinum version 3. Files created by WhirlWind processes (.js, .html, .
Operations After Kismet has terminated, a WhirlWind process called “DustDevil” (DD) runs. DustDevil processes all of the .csv files found in the storage directory. See the figure below for an example screenshot for DD data processing. • The contents of all of the .csv files are merged together and analyzed. • The “best” geolocation data for each unique BSSID is processed into the Dustdevil .kml, and .html files. • A summary count is displayed on Console #1 o Total networks (BSSIDs) for the aggregate .
Figure - 34 HTML Summary Additionally, when you select a network in the HTML summary, Google Earth™ will pan to the spot on the map where the network is shown and it will place a “pushpin” on the map to show you where the network is located (see Figure 34). This was done for two purposes – first, at times it was somewhat difficult to find the network of interest due to congestion or duplicate network names (like *No SSID*).
Figure - 35 HTML Summary w/ PushPin Using the Google Earth™ application, it is also possible to zoom in for a close up of the WiFi environment. Individual networks might look like this: Figure - 36 Google Earth™ Mapping Close-up 47 Copyright © 2007 by Futures, Inc.
By selecting a specific point (WiFi network) on the map, metadata concerning the wireless network is displayed in a pop-up box: Figure - 37 Network Information Pop-Up The following figure illustrates the robust relationship that DustDevil has with Kismet output data. There are increased data field displays within the bubble. For example – data rate displays and GPS coordinates. In addition, the bubble provides enhanced packet capture definition. 48 Copyright © 2007 by Futures, Inc.
Figure - 38 Detailed Network Information Popup with Data Fields 49 Copyright © 2007 by Futures, Inc.
Living Document This user manual is written as a living document to provide the most current information, and subject to change as new capabilities are included in WhirlWind and as new devices for WhirlWind are tested. 50 Copyright © 2007 by Futures, Inc.
Appendix A – Tested WiFi Cards The following table illustrates some of the WiFi cards tested by the WhirlWind developers and whether or not the card was identified by the OS (Worked). As of this printing it is highly recommended that cards with the Atheros chip set NOT be used with the Whirl Wind product. Although recognized by the operating system testing has determined there are driver faults, at this time which may cause the card to stop working at an undetermined time period from start.
D-Link DWL-G680 v1.00 D-Link DWL-G630 v3.00 D-Link DWL-G630 v3.01 D-Link DWL-G650 v2.54 EDIMAX EW-7108PCg Encore Electronics ENPWI-SG Gigabyte Technology Hawking Technologies GN-WBKG Hawking Technologies HWC54G Intel JAHT IPW-2200 WN-5054P Level 1 WPC-0300 Linksys Linksys WPC11 v3 WPC11 v4 Linksys Linksys WPC54G v1 WPC54G v3 Linksys WPC54GS v1.1 Linksys WPC54GS v2 HWC54D 802.11abg NIC (rev 01)) Atheros (Atheros Communications, Inc. AR5212 802.
Linksys WPC55AG v1.1 Linksys Linksys Lucent Technologies Netgear Netgear WUSB54G v4 WUSB54GP PC24E-H-FC (Orinoco Gold) MS-6861 WG511 (Not V3) WG511T WG511U Netgear WPN511 Nova Tech NV914 SMC SMC2336W-AG SMC SMC SMC2532W-B SMCWCB-G SMC SMCWCT-G TRENDnet TEW-441PC TRENDnet TEW-501PC Zonet ZEW2500P Zyxel G-102 v2 Zyxel G-110 Zyxel G-162 MSI Netgear (rev 02)) Atheros (Atheros Communications, Inc. AR5212 802.
Appendix B – Tested WiFi Chip sets The following table illustrates chipset compatibility as it applies to Kismet server recognition.
Appendix C – Tested GPS Devices Within the WhirlWind build, developers have wrapped within the open-source software “gpsd”. Gpsd is a daemon that monitors one or more GPS devices attached to the computer through the USB or serial ports. Multiple GPS client applications can share access to GPSes without contention or loss of data. As of this printing, gpsd version 2.34 is being used.
The other was serial number “BU26903” and it took only 20 seconds to make a cold fix in the same location. The fundamental difference between the two was the SiRF firmware. The firmware versions, were: • GSW3.0.2-GS_3.0.00.03-C5P1.02b == 90 second cold fix • GSW3.2.2_3.1.00.12_SDK C-03P1.01a == 20 second cold fix The 3.2.2 firmware was the current firmware at the time of the testing. Obviously, improvements had been made since 3.0.2.
Appendix D – End User License Agreement (EULA) WhirlWind 1.0 Futures Software License Agreement PLEASE READ THIS AGREEMENT CAREFULLY. BY USING THE SOFTWARE (INCLUDING ITS COMPONENTS), YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH THESE TERMS, DO NOT DOWNLOAD OR USE THE SOFTWARE AND, IF APPLICABLE, RETURN THE ENTIRE UNUSED PACKAGE TO THE RESELLER WITH YOUR RECEIPT FOR A REFUND.
MAINTENANCE AND SUPPORT Your rights with respect to updates, patches, or other materials received under a subscription to a Futures maintenance program for the Software are defined by the relevant maintenance program terms. Futures has no obligation under this Agreement to provide maintenance or support for the Software. Depending on how You acquired the Software, You may have also acquired a maintenance subscription for the Software.
may not apply to You. This limited warranty gives You specific rights and You may also have other rights which vary from state to state. LIMITATION OF LIABILITY (a) Consequential Losses.
Waiver. No waiver of any right under this Agreement will be effective unless in writing, signed by a duly authorized representative of the party to be bound. No waiver of any past or present right arising from any breach or failure to perform will be deemed to be a waiver of any future right arising under this Agreement. Severability.
Acronyms and Glossary ACCESS POINT – The hub of a wireless network AES – Advanced Encryption Standard is a fast, secure symmetric algorithm. API – Application Programming Interface. A code interface that a computer application, operating system, or library provides to support requests for services by the computer program. BSSID – Basic Service Set Identifier. The MAC address of a station in a wireless access point. GPS – Geo Positioning System IEEE 802.
WPA – WiFi Protected Access is an improved encryption standard with a higher level of security than WEP. It bridges the gap between WEP and 802.11i (WPA2) networks. WPA uses TKIP. WPA2 – The latest implementation of WPA providing stronger data protection and network access control. There are two versions of WPA2 – Personal and Enterprise. WPA2 Personal protects network access by using a setup password. WPA2 Enterprise verifies network users through a server.