Security Onion and Wireless
2,051 views
Skip to first unread message
Rhoda Dendron
Feb 7, 2012, 1:48:24 PM2/7/12
to security-onion
Hi all,
This is most likely a newbie question, but I've looked around and not
quite seen the exact issue I have. Overview: I'm trying to get
Security Onion to sniff my wireless network. I have SO installed on my
Toshiba laptop. Where I'm getting confused is what I need to do in
order to make SO sniff not only my legit wireless traffic, but also
potential malicious traffic, and to "miss" as little as possible. To
do so, I need to:
- set my wireless card to monitor (promiscuous) mode
- set my wireless card to hop the various 802.11g channels
The way to do it, near as I can tell, is as follows:
- iw dev wlan0 interface add mon0 type monitor / ifconfig mon0 up
The problem then becomes that I can't get mon0 to come up in Sguil
setup. Also, I'm not sure if I need to enable airodump-ng or airmon-ng
or kismet or whatever in order to get the card to channel hop (I think
bringing up mon0 does it automatically but can't tell.)
Any ideas would be greatly appreciated. Again, thanks for an awesome
IDS distro!
- "Rhoda Dendron"
This is most likely a newbie question, but I've looked around and not
quite seen the exact issue I have. Overview: I'm trying to get
Security Onion to sniff my wireless network. I have SO installed on my
Toshiba laptop. Where I'm getting confused is what I need to do in
order to make SO sniff not only my legit wireless traffic, but also
potential malicious traffic, and to "miss" as little as possible. To
do so, I need to:
- set my wireless card to monitor (promiscuous) mode
- set my wireless card to hop the various 802.11g channels
The way to do it, near as I can tell, is as follows:
- iw dev wlan0 interface add mon0 type monitor / ifconfig mon0 up
The problem then becomes that I can't get mon0 to come up in Sguil
setup. Also, I'm not sure if I need to enable airodump-ng or airmon-ng
or kismet or whatever in order to get the card to channel hop (I think
bringing up mon0 does it automatically but can't tell.)
Any ideas would be greatly appreciated. Again, thanks for an awesome
IDS distro!
- "Rhoda Dendron"
Liam Randall
Feb 7, 2012, 10:28:32 PM2/7/12
to securit...@googlegroups.com
What are you trying to accomplish?
Unless you are going to dedicate a nice card to each channel you are going to miss data as it hops from channel to channel.
What kinds of attacks are you hoping to detect in this mode? If you're looking to detect people using aircrack-ng and reaver against your production wireless network, rouge authentications, rouge aps connected to your network, etc. on a production network you may want to look at something like airtight networks- they are really slick.
If you'd like to experiment with an open source WIDS you may want to look at Kismet; it can even be run in drone mode using openwrt's.
Thomas (Mister_X) of aircrack-ng fame has recently started another open source WIDS- http://openwids-ng.org/ , which at the moment, compiles. :)
If you are still convinced that you want to proceed sniffing with Security Onion (and I hope you are), I think you'd want to start by just monitoring one channel. I guess the question here is are you concerned with monitoring for attacks on your network or are you concerned with monitoring an active encrypted wifi network? You will probably need to do something like this:
These are the basic steps for backtrack:
# Create your monitor interface
airmon-ng start wlan0 <channel>
# if you want to see networks now you can use "airodump-ng mon0"
# put the interface on a channel
iwconfig wlan0 channel 6
iwconfig mon0 channel 6
iwconfig mon0 channel 6
I think you'll then be able to sniff on mon0; confirm you can do it first with wireshark / tcpdump
Until you authenticate onto an ssid you're only going to see unencrypted management frames.
If you are going to run with us, let us know how it goes!
Liam
Doug Burks
Feb 8, 2012, 5:58:49 AM2/8/12
to securit...@googlegroups.com
Great reply, Liam, thanks!
One thing I'll add is that, by default, mon0 would not be exposed in
Setup. Edit /usr/local/bin/setup and change this:
INTERFACES=`cat "/proc/net/dev" | egrep "(eth|bond|wlan|br|ath|bge|fe)[0-9]+"
to this:
INTERFACES=`cat "/proc/net/dev" | egrep
"(eth|bond|wlan|br|ath|bge|mon|fe)[0-9]+"
Then try running Setup and see if that helps.
I've created Issue 220 to produce an official update for this:
http://code.google.com/p/security-onion/issues/detail?id=220
If anybody knows of any other interface designations that need to be
added to the list, please add them to Issue 220.
Thanks,
Doug
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Rhoda Dendron
Feb 8, 2012, 12:06:37 PM2/8/12
to security-onion
Hi guys,
Thanks for the great suggestions! I'm doing a presentation on wireless
IR next week, so I'll try both OpenWIDS-ng and the config change Doug
listed for one-channel monitoring (I put Kismet and Wireshark on my SO
install so I'll try to confirm that way.) I'm definitely interested in
continuing getting SO and mon0 / kismet etc. to play nice, as the
tools and displays in SO are much nicer than what I can get with
OpenWRT (no offense to that distro, but the people I'm presenting to
are GUI types, and besides my WRT54 currently has Tomato on it.)
I'll have more to report this evening. Again, thanks for your help!
> > On Tue, Feb 7, 2012 at 1:48 PM, Rhoda Dendron <rhoda.dend...@gmail.com>
>
> - Show quoted text -
Thanks for the great suggestions! I'm doing a presentation on wireless
IR next week, so I'll try both OpenWIDS-ng and the config change Doug
listed for one-channel monitoring (I put Kismet and Wireshark on my SO
install so I'll try to confirm that way.) I'm definitely interested in
continuing getting SO and mon0 / kismet etc. to play nice, as the
tools and displays in SO are much nicer than what I can get with
OpenWRT (no offense to that distro, but the people I'm presenting to
are GUI types, and besides my WRT54 currently has Tomato on it.)
I'll have more to report this evening. Again, thanks for your help!
> > wrote:
>
> >> Hi all,
>
> >> This is most likely a newbie question, but I've looked around and not
> >> quite seen the exact issue I have. Overview: I'm trying to get
> >> Security Onion to sniff my wireless network. I have SO installed on my
> >> Toshiba laptop. Where I'm getting confused is what I need to do in
> >> order to make SO sniff not only my legit wireless traffic, but also
> >> potential malicious traffic, and to "miss" as little as possible. To
> >> do so, I need to:
>
> >> - set my wireless card to monitor (promiscuous) mode
> >> - set my wireless card to hop the various 802.11g channels
>
> >> The way to do it, near as I can tell, is as follows:
> >> - iw dev wlan0 interface add mon0 type monitor / ifconfig mon0 up
>
> >> The problem then becomes that I can't get mon0 to come up in Sguil
> >> setup. Also, I'm not sure if I need to enable airodump-ng or airmon-ng
> >> or kismet or whatever in order to get the card to channel hop (I think
> >> bringing up mon0 does it automatically but can't tell.)
>
> >> Any ideas would be greatly appreciated. Again, thanks for an awesome
> >> IDS distro!
>
> >> - "Rhoda Dendron"
>
> --
> Doug Burks
> SANS GSE and Community Instructor
> Security Onion |http://securityonion.blogspot.com
> President, Greater Augusta ISSA |http://augusta.issa.org- Hide quoted text -
>
> >> Hi all,
>
> >> This is most likely a newbie question, but I've looked around and not
> >> quite seen the exact issue I have. Overview: I'm trying to get
> >> Security Onion to sniff my wireless network. I have SO installed on my
> >> Toshiba laptop. Where I'm getting confused is what I need to do in
> >> order to make SO sniff not only my legit wireless traffic, but also
> >> potential malicious traffic, and to "miss" as little as possible. To
> >> do so, I need to:
>
> >> - set my wireless card to monitor (promiscuous) mode
> >> - set my wireless card to hop the various 802.11g channels
>
> >> The way to do it, near as I can tell, is as follows:
> >> - iw dev wlan0 interface add mon0 type monitor / ifconfig mon0 up
>
> >> The problem then becomes that I can't get mon0 to come up in Sguil
> >> setup. Also, I'm not sure if I need to enable airodump-ng or airmon-ng
> >> or kismet or whatever in order to get the card to channel hop (I think
> >> bringing up mon0 does it automatically but can't tell.)
>
> >> Any ideas would be greatly appreciated. Again, thanks for an awesome
> >> IDS distro!
>
> >> - "Rhoda Dendron"
>
> --
> Doug Burks
> SANS GSE and Community Instructor
> Security Onion |http://securityonion.blogspot.com
>
> - Show quoted text -
Liam Randall
Feb 8, 2012, 12:30:56 PM2/8/12
to securit...@googlegroups.com
Rhonda great to hear!
I asked Mike (dragorn) of kismet about brand recommendations on the drones and he swears by these:
I agree w/ him that lately linksys hardware / driver quality leaves something to be desired. Just get something with an atheros radio; the ath5k/9k modules.
Start a google doc and keep some detailed notes you can share with us all later!
Good luck!
Liam
Rhoda Dendron
Feb 8, 2012, 11:30:26 PM2/8/12
to security-onion
Well, hmmm.
I was able to put wlan0 in monitor mode and assign it to channel 6.
Mon0 wouldn't let me switch frequencies for some reason, but I
confirmed through tcpdump that it was getting a whole mess of
packets. :)
Applied the suggest changes to the conf file, did nsm_all_del, then
did setup. Mon0 was available so I selected. However, Sguil won't
trigger on any packets (tried going to testmyids.com and putting a
whole bunch of Cs into a Google search) and snorby, after refusing to
load on localhost:3000 a few times, won't accept the password I set.
I need sleep so I'll stop for now, but I'll keep trying. All of my
notes will go into a doc as requested.
Again, thanks for all the help!
On Feb 8, 5:30 pm, Liam Randall <liam.rand...@gmail.com> wrote:
> Rhonda great to hear!
>
> I asked Mike (dragorn) of kismet about brand recommendations on the drones
> and he swears by these:
>
> http://www.ubnt.com/bullet
>
> I agree w/ him that lately linksys hardware / driver quality leaves
> something to be desired. Just get something with an atheros radio; the
> ath5k/9k modules.
>
> Start a google doc and keep some detailed notes you can share with us all
> later!
>
> Good luck!
>
> Liam
>
> > > > source WIDS-http://openwids-ng.org/, which at the moment, compiles.
> > > President, Greater Augusta ISSA |http://augusta.issa.org-Hide quoted
I was able to put wlan0 in monitor mode and assign it to channel 6.
Mon0 wouldn't let me switch frequencies for some reason, but I
confirmed through tcpdump that it was getting a whole mess of
packets. :)
Applied the suggest changes to the conf file, did nsm_all_del, then
did setup. Mon0 was available so I selected. However, Sguil won't
trigger on any packets (tried going to testmyids.com and putting a
whole bunch of Cs into a Google search) and snorby, after refusing to
load on localhost:3000 a few times, won't accept the password I set.
I need sleep so I'll stop for now, but I'll keep trying. All of my
notes will go into a doc as requested.
Again, thanks for all the help!
On Feb 8, 5:30 pm, Liam Randall <liam.rand...@gmail.com> wrote:
> Rhonda great to hear!
>
> I asked Mike (dragorn) of kismet about brand recommendations on the drones
> and he swears by these:
>
> http://www.ubnt.com/bullet
>
> I agree w/ him that lately linksys hardware / driver quality leaves
> something to be desired. Just get something with an atheros radio; the
> ath5k/9k modules.
>
> Start a google doc and keep some detailed notes you can share with us all
> later!
>
> Good luck!
>
> Liam
>
Doug Burks
Feb 9, 2012, 6:11:25 AM2/9/12
to securit...@googlegroups.com
Hi Rhoda,
Replies inline.
On Wed, Feb 8, 2012 at 11:30 PM, Rhoda Dendron <rhoda....@gmail.com> wrote:
> Well, hmmm.
>
> I was able to put wlan0 in monitor mode and assign it to channel 6.
> Mon0 wouldn't let me switch frequencies for some reason, but I
> confirmed through tcpdump that it was getting a whole mess of
> packets. :)
>
> Applied the suggest changes to the conf file, did nsm_all_del, then
> did setup. Mon0 was available so I selected. However, Sguil won't
> trigger on any packets (tried going to testmyids.com and putting a
> whole bunch of Cs into a Google search) and snorby, after refusing to
> load on localhost:3000 a few times,
Snorby can take a few seconds to start, depending on hardware. What
are your RAM/CPU specs? If the box is overloaded, this could cause
you to drop packets as well and not get any alerts. You said you
selected Mon0 so I assume you chose Advanced Setup? Did you only
select Mon0 or did you select another interface as well? Please send
the output of the following commands:
sudo service nsm status
ps aux |grep snort
> won't accept the password I set.
The only time I've seen this happen is when you don't meet the minimum
password length for Snorby (6 characters). How many characters is
your password?
> I need sleep so I'll stop for now, but I'll keep trying. All of my
> notes will go into a doc as requested.
Thanks for any and all documentation!
Liam Randall
Feb 9, 2012, 6:49:25 AM2/9/12
to securit...@googlegroups.com
Rhonda-
Replies also inline.
On Wed, Feb 8, 2012 at 11:30 PM, Rhoda Dendron <rhoda....@gmail.com> wrote:
Well, hmmm.
I was able to put wlan0 in monitor mode and assign it to channel 6.
Mon0 wouldn't let me switch frequencies for some reason, but I
confirmed through tcpdump that it was getting a whole mess of
packets. :)
Are you monitoring an unencryrpted network? If you want to monitor a secured network you will need to join this interface to that network- otherwise you are just going to see management frames.
Applied the suggest changes to the conf file, did nsm_all_del, then
did setup. Mon0 was available so I selected. However, Sguil won't
trigger on any packets (tried going to testmyids.com and putting a
whole bunch of Cs into a Google search) and snorby, after refusing to
load on localhost:3000 a few times, won't accept the password I set.
Is this a seperate box or a VM? Is mon0 the only interface you are monitoring? does the box have any other network connections? If the request to testmyids does not go out over a monitored interface, it can not trip an alert.
You could replay a pcap you know will trigger an alert on this interface to confirm that everything is working. You can use "tcpreplay" to do so:
From sguil you can select an alert from another sensor, export to wireshark, save it out to the wireless Security Onion (WSO?) then come back and play it on mon0. This would at least confirm it is going to trip on packets.
I need sleep so I'll stop for now, but I'll keep trying. All of my
notes will go into a doc as requested.
Awesome- for fun I have wanted to try this myself .
Liam
Reply all
Reply to author
Forward
0 new messages