Friday, March 12, 2004

I Wish To Be Probed
They say that idle hands are the devils play things. This morning, I have a trembling pair of idle hands. I didn't think I would be this nervous about a root canal, that my wife is getting. You hear about how awful they are, and my wife is getting two of them right now. I'm really, really, nervous. I know she will be just fine, and she's pretty tough. But to know that she is just a few rooms away (probably in pain) just eats me up.

I am doing my best to keep busy. So I brought my laptop. This dental office is nice! Those $900 root canals buy some nice shit! Stuffed chairs. Simulated 'aged' country cabinets. Hardwood floors with large area rugs. Man, it's nice. And here I am with my laptop, surrounded by a bunch of people. This office is really filling up. I thought I might try to find myself a wireless network. So I brought up MacStumbler. It came up with nothing. Nothing at all. So I brought up KisMac which picks up damn near anything.

KisMac immediately found ... a prober. So here is a guy who is scanning for networks just like me! It's not exciting as it sounds. If I knew there was a guy in the next room with a laptop, and NetStumbler running, that would be neat. But more likely it's a PC with a wireless NIC in it, and no network to connect to. So the card idles all day long looking for something to connect to.



Would it connect to me if I set up shop and invited it in? I had some questions that needed answered. Like, what's the name of the access point that it would like to connect to. Is it asking for anything specific? I could see that the client card was a D-Link, and D-Link typically uses "default" as the name of it's access points. I decided to use KisMac to "dump" out any traffic that it found into a file. This file can then be opened and read with a packet monitor/analyzer, like Ethereal.

And so with dumping enabled, I started up a scan. I must have been looking around the room while I was waiting for some packets to get captured by KisMac. Across the room was a younger guy who had put down his newspaper and was looking at my laptop. He smiled and asked me about a sticker on my laptop. "Is that a Starbucks sticker?". He looked like a coffee shop type. "Nope", I replied, "it's a parody Starbucks sticker ... it says Spend Bucks On Me". He liked that.

Now I had some packets, so I shutdown KisMac and ... Kernel Panic. It's pretty hard to crash a Mac running OS X. That is unless, you do some really weird things with loading and unloading of the wireless card driver. So I rebooted, and then went into Ethereal and opened up the "dump" file I had made.

I had never attempted this before, and it worked surprisingly well. I could see all of the many probe requests made by the client, and inside almost every one of the requests I could make out the name of the access point it was looking for, "default".



I thought so! And now it was time to create my network with the name of default. A wireless trap!



Would they connect to me? If they did, I could connect back to them. Most likely the traffic wouldn't go any farther than that. It's not as if I could connect to this other computer and start surfing the net. Yet, he might be sharing some files, or running some services of interest.

The real question now was, is he connected to me? How the hell would I know if he was. If he could authenticate, and connect to me, his computer would attempt to grab an IP address from me using DHCP. I'm on my iBook ... and although I could install dhcpd, I haven't. So there goes that.

A Lesson In ARP
If I could see that he was connected to my 'network', I could probably invent an IP address for him, and create a 'static arp entry' for him. Basically, you take someones MAC address and tell your computer that a particular MAC address is attached to a certain IP address. Usually this information is 'discovered' on it's own. So when you ping someone on a network, there is first a moment where you don't know them. Your computer goes out onto the network and says "who the hell is 192.168.1.10". They should answer back "dude, thats me ... and here is my MAC address". We call the whole process "ARP" which is short for "Address Resolution Protocol". Once your computer figures this out, it stores away their IP and their MAC into a table, and holds onto it for a couple of minutes. Later, it will throw away the information and ask again. It's not very likely that their MAC address will change in 2 to 10 minutes. But what the hell. We will check anyway.

To try any of these tricks I would need his MAC address. I would get that from any traffic coming from him, and I could capture it with tcpdump! So I become root (you need to do that) and I start up tcpdump with 'tcpdump -i en1'. The "-i" is short for 'interface' and "en1" is my 'wireless nic'.

Now I watch ... and I watch ... and I watch. All I see streaming by is my own garbage. I have noticed my iBook loves to chatter about it's routing information. It's always hoping that it will find someone to route traffic through. So here I am watching tons of the same requests over and over again. They look like this ...

10:01:22.749125 education.local > ff02::2: icmp6: router solicitation
10:01:26.346568 arp who-has 20.0.0.2 tell 0.0.0.0
10:01:26.351013 education.local > ff02::2: icmp6: router solicitation
10:01:26.647000 arp who-has 20.0.0.2 tell 0.0.0.0
10:01:26.951602 arp who-has 20.0.0.2 tell 0.0.0.0

Blah Blah Blah! Okay, enough with tcpdump. All I am seeing it my own routing requests. And every once in a while an attempt is made to synchronize my clock. How else could I monitor my traffic? Maybe Ethereal can catch them and display them better. Or perhaps tcpdump is withholding information.

I run Ethereal and I run about 4 different groups of packet captures ... finding nothing.

What Happened?
We learn from our failures. So let's see where we went wrong with some Q and A.

  • Was the signal strong enough? - We can't safely answer that one. It was strong enough to get to my laptop to be received. That doesn't say it was strong enough to connect and carry on a conversation. At best, the strength of the signal was around a 7. Thats pretty low.
  • Did he want to connect to me? - We can't assume that he would attempt to authenticate on his own. His wireless card discovered my network, and likely did nothing with it. Perhaps the user was given a pop up box with something to the effect of "a network was found, do you want to connect to it?". I would click no if I wasn't expecting it. Additionally, some wireless connection utilities will not connect to a network automatically if it's NOT WEP encrypted. The user would be given a dialogue box that tells them "this network is insecure, and your data could be at risk ... you shouldn't connect to it".
  • Was this guy a client? - A "probe" is just a general 'anybody out there?' kind of request. It's pretty in-specific. We are assuming it was a PC-based wireless device such as a PC card in a laptop or a WiFi card in a tower style PC. We will never know for sure what 'it' was.
  • Did he connect with us, and we missed it? - Although it's possible that he connected to us, and disconnected soon after, I doubt it. If his network settings were those that the card would actively keep persuing my network, I would have seen some of that traffic in my many packet captures.

No comments:

Post a Comment