July 7, 2006

A scanner for wireless interlopers

Author: Joe Barr

Wireless security firm Network Chemistry recently released a cross-platform, free software security tool called RogueScanner in conjunction with its wireless network protection package RFprotect. RogueScanner, licensed under the GPL and the latest of three free software security modules available from Network Chemistry, allows you to monitor your network for rogue wireless devices. Release 1.0 comes in both Windows and Linux versions.

I downloaded and installed RogueScanner on my Ubuntu LTS desktop box. Building RogueScanner turned out to be a non-trivial task. Read all of the README file carefully and make sure you've met all the prerequisites. I required assistance and handholding from Network Chemistry tech support before I was successful in getting RogueScanner and the prerequisites built properly.

Speaking of prerequisites, you'll need both the libraries and the header files for libpcap, OpenSSL, and Ruby. You'll also need SNMP++ 3.x and gSOAP. See the README file included with the download for more details on build and configure options for all of the above.

Your install degree of difficulty will vary depending on your starting point in terms of distribution, prerequisites, and your own skill level. The company tells me that the installation documentation has been made a little clearer in parts based on my misadventures. The download page provides an email address where you can ask for installation assistance.

Once installed, RogueScanner does two things. First, it shows you all the wired and wireless devices it can see, providing as much detail on each as it can. IP addresses outside the "Home Net" entry in the configuration file are scanned, but not probed. RogueScanner also writes a log file to the current working directory and maintains lists of files describing the devices it has found. Secondly, it reports what it finds to Network Chemistry's collaborative device classification system. The results of the collaboration effort are available to both the registered users of RFprotect and to other RogueScanner users in order to provide immediate identification of devices on their own networks.

RogueScanner is typically run using a configuration file. A sample scanner.conf is included in the download and can easily be edited for your needs. My home LAN runs off a Linksys WRT54G router, at 192.168.1.1, which provides both wired and wireless connectivity. I have a wireless Hewlett-Packard network printer configured as 192.168.1.120, two desktop machines connected via Category 5 cable, and a laptop that connects via Wi-Fi.

I edited the sample configuration file until it looked like this:

iface=eth0
iface_address=192.168.1.101
iface_netmask=255.255.255.0
home_net=192.168.1.0/255
logfile=/home/warthawg/RogueScanner/scanner.log
scan_threads=10
debug=1
enable_cli=true

Then, as root, I started running the scanner by entering:

# RogueScanner -c ~/RogueScanner/scanner.conf

Welcome to RogueScanner 1.0
(c) 2006 Network Chemistry, Inc.

Parsing configuration from /home/warthawg/RogueScanner/scanner.conf.
Setting interface to eth0.
Setting interface address to 192.168.1.101.
Setting interface netmask to 255.255.255.0.
Added 192.168.1.0/255 to "home_nets."
Setting log file to /home/warthawg/RogueScanner/scanner.log.
Setting number of scan threads to 10.
Setting debug level to 0x00000001.
Enabling interactive CLI.
>

The built-in CLI allows you to enter several commands. Note, however, that the CLI option is not the default interface. Be sure and set enable_cli=true if you want to use it. If you have enabled it, simply type help to get a list of the available commands. I entered device list to get a listing of all the devices the software could find. RogueScanner responded with:

192.168.1.1 (00:0F:66:49:9A:AF) Linksys WAG54G
192.168.1.104 (00:13:D3:EB:4B:F3) Micro-Star
192.168.1.102 (00:0C:F1:28:DE:C9) Intel
192.168.1.120 (00:11:85:8D:01:FB) Hewlett-Packard

You can display additional information about any specific device by entering the device detail command followed by its IP address, like this:

device detail 192.168.1.120
IP Address: 192.168.1.120
MAC Address: 00:11:85:8D:01:FB
Local: yes
Evidence:
 dns_name = 192.168.1.120
 ip_address = 192.168.1.120
 mac_address = 00:11:85:8D:01:FB
 probe = snmp(label:snmp_sysdescr, scan_id:32, port:161, request:"1.3.6.1.2.1.1.1.0", response:""),
snmp(label:snmp_sysname, scan_id:33, port:161, request:"1.3.6.1.2.1.1.5.0", response:"")
 promiscuous = 1
Classification:
 [1] Score = 50
  class = wifi_unknown
  oui_name = Hewlett-Packard
  vendor = Hewlett-Packard
 [2] Score = 6
  class = wifi_soho_router
  model = WRT54G
  vendor = Linksys
 [3] Score = 1
  class = print_server
  model = 5600+ Network Print Server
  vendor = AXIS

Notice that the classification attempts are ordered by score, with the highest score being the best guess at classification and the lowest score the least reliable. I had to double-check on this, because although the third classification had the lowest score, it seemed to be -- based on the model -- the most accurate.

According to Network Chemistry, "The reason the Axis print server was matched at all is because it and your HP printer share a characteristic. However, this characteristic wasn't discriminating enough to boost the confidence in it being an Axis print server -- hence the low score."

This particular example also highlights the value of the collaborative nature of the tool, as the company also noted in its response to my query, "If you type 'classify 192.168.1.120' and put the correct model number (and vendor too), we'll be able to classify it and other instances of the same model with greater accuracy."

My laptop and the second desktop box (192.168.1.102 and 192.168.1.104 in the list above) didn't reveal enough about themselves to warrant any guesses at all for classification.

The README file describes how you can also configure RogueScanner to query managed switches and routers for information on attached devices. I didn't experiment with this feature, but according to the README:

[T]o do this you'll need to give RogueScanner the SNMP/SSH/telnet credentials to your infrastructure devices in order for it to be able to connect to them. Each switch or router configuration is specified in a YAML file and placed in the directory you specified with the switch_dir option in your configuration file.

Conclusion

I can think of a couple of ways to make RogueScanner even more useful. For one, how about a configuration file that identifies authorized devices and sends an alarm when it detects unauthorized devices? But even without such bells and whistles, RogueScanner is a useful tool not only for folks like me with only a home LAN to be concerned about, but for network admins in a corporate environment as well.

Category:

  • Security
Click Here!