Hello,

I am wondering how one actually makes the connection from WI-FI NIC to WI_FI DSL/Cable Router. Is this connection done through sockets? Here is what I assume happens:

1. BSSI Scanned
2. SSID found
3. Default Gateway found
4. Socket to gateway
5. Request for IP from DHCP
6. Linked

Also, does all traffic go through port 80 by default? I am trying to add a scan and connect feature to the WI-FI monitor I am building so, I will certainly appreciate the lesson. Thanks in advance

No offense, but I find it rather amazing that you are asking these sorts of questions and are in the process of writing an application that deals with 802.11.

I have read this tutorial several times and I would think it be appropriate that you take the time to read this watered down version of the 802.11 protocol. I suspect you will have a much better understanding afterwards.

http://www.sss-mag.com/pdf/802_11tut.pdf

none taken. I am pounding through it as I learn the technology. I get what I already know out of the way and worry about what I dont as I progress through the development. It is all done with API and WMI which makes the development of tools quite simple, so it doesn't take very long to write the code once you understand why.

I will check out your link, thanks much.

You should probably add a section for 802.11 programming. It would give people a chance to get under the hood and learn how to write tools and scripts for security or whatever. Could be useful, I think.

Anyway, thanks again.

@ M/Q: I read the PDF and it really explains a lot. I also read the Security tutorial you have but need to read it again. I have a question, if you enum the infrasturcture mode and see ad-hoc, is it proper to assume you are looking at an adapter and if you see infrastructure, you are looking at a router? Correct me if I am wrong but ad-hoc means open access with no authentication and an adapter can not be set anyother way, right? So, if that is true then isn't it fair to say that if you enum the auth mode and see ad-hoc.. you are looking at a rogue member of the network or weak link, etc?

I am only basing this theory on knowing that I can reach the Internet through another PC with a wirless NIC. Though they still have a dsl router they are going through, my access is through them like a proxy.. I think.

I think I should just PM my questions because I am sure I sound ridiculous. Laugh at me if it helps me learn. ;)

This tutorial explains ad hoc connections.

http://www.wi-fiplanet.com/tutorials/article.php/10724_1451421_1

You need to start using correct terminology, as it will help you be more clear when asking questions. This is getting a bit technical so you need to use something other than router. As a router has nothing to do with wireless. The controlling wireless devices are access points. I think we went over this a bit before, wireless router have controlling access point in them. It would be best to use the term controlling wireless device as there is even a controlling wireless device in ad hoc connections.

There is also a the three A's that you need to think about to understand the wifi management concept. Authentication, Association and Administration. This link talks about this process and even though it is aimed at infrastructure the same initial steps take place during an ad hoc handshake.

http://www.wi-fiplanet.com/tutorials/article.php/1216351

The last one Administration just refers to the house keeping work done by the controlling wireless device so as only one device is sending at any given time.

This next link will give you an idea as to what kind of information is sent between nodes during this portion of the connection.

http://www.wildpackets.com/support/compendium/manual_appendices/nxG1_WLAN

As for your comment about when you enum the auth mode you can tell if it is ad hoc or not. I am not sure about that. I would have to run a few tests to see what the packets look like. No matter if it is ad hoc or infrastructure there is active or passive scanning going on. That is how a radio determines whether there is a controlling wireless device within its range. Whether that be the access point or the controlling radio device of an ad hoc network.

You are correct in that an ad hoc connection teamed up with lets say MS ICS or any proxy software on the controlling computer will allow the radio associated with that particular computer to have access to the next upstream network.

These are good questions and fun to deal with. Also I would like others to jump all over me if I am making a mistake or misleading. I enjoy going back over the packet level technology as one forgets the details other-wise.

Thanks for the guides, those were what I was looking for. I have also recently found information about IP Helper API on MSDN and that should get me off this plateau.

Yeah, the ad-hoc thing is where I was stating that one could determine a non-AP. Like a rogue member of the network, already associated. Not the other way around, but I am probably wrong. ;)

I re-read the security guide you have and in one paragraph it tells you what to do, which is to scan gray channels plus the 220 available channels for various problems. I assume this would be against your own network and not like a probe of another, correct? Your only detecting intruders as they intrud, not before, right? I mean, the monitoring of channels is not to identify off-region clients. What I mean by off-region clients is users outside the newtork scanning for available APs and then attempting to associate, like war drivers would.

Thanks again.

If possible and without remotely interfering with your application, is it possible to expand on all of the features/parameters it will have. That might be helpful to us, in regards to already existing code or maybe a really poor coder hopefully injecting some ideas that would be helpful. Just a thought also, I sincerely hope that you are already working diligently on how it will port to OS X.

I love that security guide, I truly must be anal as every time I read it I take away more information. You better watch out, as my next step is to introduce you to the RFC's and that is where it gets really good.

I seem to gather that your application is leaning towards recognizing rogue wireless devices. That is a rather complicated process. Right now there are only two real ways to accomplish that. One is to have a wireless switch or gateway control all of the AP's. Then through software they are aware of any un-authorized wireless devices. The other is to have smart AP's if you will, this is Cisco's approach.

I also suspect that if you monitor all of the available channels you will have issues with networks that are overlapping and not intentionally causing interference and association problems. Just talk to a person living in a townhouse community.

that is exactly what I want to accomplish, detect rogue malefactors and disassociate or deauthenticate in an automated fashion whilst logging in real time.

There are other ways to detect a rogue, if in theory, at least theoretically possible. For instance, the signal strength could identify a rogue, for poor signals constitute distance. I am also attempting to develop an algorithm to estimate in feet, the distance from the AP based on ping and sig strength. So far 0 - 40 equals 1ms 40 - ? 2ms. If I can get that right, you could determine wether or not the rogue is outside the parameters based on the dimensions of the parameter. Very simple stuff, if my theory is correct, of course.

Sorry, I have never written a thing for Mac, never been a big Mac fan; however, props to the UI.. I love the way the windows hide and the overall design, really fancy. Easy to setup shares and things too, nice OS. However, it will most likely run under Windows NT 4, XP, and 2000 only... I know.. :)

What do you mean by extend the parameters or features, like plug-ins? Probably not. I will certainly add switches for hands free deployment and remote interaction. I was also designing it to be conscience of energy and to adjust accordingly, so that might be nice as well.

I think the main thing is to detect rogues and respond, done by measuring distance via signal strength and the time it takes to ping the rogue and return. Of course the workstation should be near the AP and it's distance calculated in 360 degrees, then that setting would need to be set in the conf and referneced as a baseline. That is how it would work, theoretically.

Thanks

That is really interesting, but I have to admit that I am afraid your theory is in jeopardy. Your basic axiom of signal strength is based on distance is not by any means verifiable.

I will once again refer back to my many years of amateur radio experience. We have many drills and practical experience that refute that or at least dispute it to a point where you can not make any kind of realistic relationship between signal strength and distance. Every summer we run what are called Fox Hunts on a number of different frequencies. That is basically where someone hides a transponder and we try to find it. We know the frequency in advance, as that changes the methodology. And microwave frequencies (aka 2.4gHz) cause us to really approach the hunt differently.

Just a for instance, one must remember that 2.4gHz is as I mentioned microwave frequency. And in reality if your application and hardware is sensitive enough you will get spurious interference from a poorly made kitchen microwave.

But, I digress, so lets say you have your computer and application running and there is a tree between you and the source. Your application would read that source as being exponentially further than in real life, and the only reason is that the water in the tree is absorbing much of the radiated energy.

There are a few apps out there already that are trying to use signal strength as a location indicator and they fail miserably. I will once again refer to my fox hunting experience and say that at microwave frequencies you need at least one partner and you use triangulation as the method of location and therefore obtain the straight line distance to the source. You may want to check out the cell phone mandate to be able to locate any cell phone within a specified time and accuracy. It has to do with E911 hopefully and not being able to track all of us.

I mentioned before that there are applications and devices in existence right now that eliminate any chance of rogue AP's or wireless devices. Blue Socket and Trapeze are companies that are dealing with this technology today.

Haha, I have heard of those. Some even hunt down people who abuse the channels. That sounds like a lot of good fun, I need to get a HAM radio. Don't you have to a have an operators license or something?

So you use a triangular pattern to detect. I was thinking more of a grid type structure. It would be much easier to denote distance that way. No not just signal strength, signal strength fires the payload. The determining factor is the ping return. Like the way NASA determines the distance of planets and stars by bouncing a radio wave of the mass and then times how long it takes to return.

Though determining the true distance would be idea for GPS locators, this application is more concerned with the time it takes to respond to a ping. By determing the distance the rogue is from the AP via ping, you can determine if the device is outside the parameter, perhaps ad-hocing a clumsy employee eating lunch in the cafeteria or playing on personal laptop in office. In an infrastructure mode, authentication takes place, so the hacker will look to associate to a weak link, which is always the human operator.

Now if we assume the rogue is located within the parameter, then a scan of the channels would be idea, as is the case once associated. The point is to catch them BEFORE they enter. It is astounding how many stores and houses are wide open. Walmart and LongHorn both wide open w/o WEP, drive through a rural area and you will find tons of wide open APs. A lot of this is due to the sharing of resources like the Internet and uninformed users, namely home based users just trying to provide the same access to their children, etc. I think by detecting them outside the parameter is idea because they will then know when they are being infiltrated and can allow the automation to proceed and log the event in real time, thus preventing unwelcomed access to their network resources.

You almost have to build hardware to accomplish all of this, but I will continue to try... ;)

Thanks

I still think you are giving too much creedance to variable information. Ping returns are not sacred at all for developinng distance relationships. Your example of the satellite probes was a good one, but you must also realize that the significance of timing errors is on a much different scale. If the actual distance is a few miles off, it does not matter. But in your case micro seconds difference will mean a much more influential plus or minus to developed distance.

Also you may have to think abouut rogue devices a bit differently. I am a security consultant on the side and one of my favorite pen tests is to setup a rogue AP in the wiring closet of the company and sit in my car and have fun. Your methodology does not account for that, if I understand it correctly. Also there are other methods that I employ to basically become an existing AP by overpowering the existing one.

Also using a multi band device will have to be considered before your application will have any merit with the IT world. I use that methodology quite often as well.

I also wanted to mention that triangulation has nothing to do with distance it is just a bearing and GPS location. From that information, our programs can determine the location of the device without concern for signal strength. That is the method I use when I am trying to locate a suspected rogue device.

the working prototype is off by at most 40 feet, right now. Plus, I know that was just an example, but how often are you going to have access to the companies closet, have time to hook up an AP, and then be dumb enough to sit outside the building and reak-havoc? If you are talking about session hijacking by spoofing a legit AP, then that would be outside the scope of this project, I think. If you came from a good distance, the APDC would know by the extremely long ping return time and may prevent that, I don't know. Really, the point is to detect people outside your home or office trying to gain access to your networl BEFORE they do. With high-power anteanas, spread-spectrum, etc.. the World will have to duck and cover until a law passes allowing administrators the right to just use deadly force, run right out in the hills and start shooting. That would solve the rest. And, I bet those individuals would think twice next time but, this is not a Walgreens World and we must continue to play cat and mouse, fine we can do that too.. haha :)

All jokes aside, there is a lot to think about and with such a broad subject, I think it is best to focus on what is available to the common skiddie, realise he is not MCGeyver and that this is not Hollywood and know that the solution is out there and is always very simple. I think the distance test using ping is promising, the results are the exact same, everytime. So, I think it is worth continueing experimentation in that direction, at least until I know that it wil fail in all incidences, not just a few crazy ones.

This is only freeware soft my friends and I build together and release so, it may not be perfect but it should save a few people from getting raped by their thirteen year old neighbor, wirelessly.

well, I must admit after testing the APDC application, I have just discovered one way not to detect wireless bandits. However, it appears that I was correct about one thing, you would have to build hardware to do this. I read an article about MIT deploying a tracking system which provides the staff a visual map of the campus. Did you see Harry Potter, not sure which one but the one where he found a map that you could see the footsteps of everyone on campus? It is just like that, but real. They use transmitters to cross-check the location of the call. Like you said, they triangulate the position. But, you need multipule transmitters to pull this off, or that is what I took from the article.

Hmmm.. back to the drawing board.

Well, I guess us old fart Hams still have thing or two. Just been there and done that on many of these RF technologys. We had an email system setup almost 10 years before the Internet even existed. It is called packet radio and is still going strong. The whole infrastructure could disappear and we would still be able to communicate and send data. Very cool stuff.

As for the MIT program this link talks about it, as it is quite fascinating.

http://web.mit.edu/newsoffice/2005/ispots.html

I think it is pretty unique. I mean who wouldn't want something like that to work with? I think it is pretty crazy how they have it like an interactive map and each node is a bleep on the screen. I wonder if this only applies to the campus parameter or if this actually expands to the surrounding areas as well. Maybe they have the ability to also detect incoming calls from the outside, I don't know. I have ran through so many ideas. Now I am stuck with a replacment app for wzc,.. woo hoo.

Maybe I will make it into an assement tool, typically how things work when nothing useful can come from the initial concept. It either goes in the bin or turns grey. Like magic.

for the sake of not steering anyone wrong, the MIT iSpot tracking system is not as sophisticated as I intitally stated above. It doesn't follow each individual node but counts the number of connected users to each wireless hotspot every 15 minutes and then projects the results like this:

http://ispots.mit.edu/images/intensity.jpg

Still, really awesome!