freebsd security - Nov 2007 - testing wireless security

I have been playing around with 3 ath based FreeBSD boxes and seem to 
have got everything going via WPA and a common PSK for 802.11x 
auth.  However, I want to have a bit more certainty about things 
working properly.

What tools do people recommend for sniffing and checking a wireless network ?

In terms of IDS, is there any way to see if people are trying to 
bruteforce the network ?  I see hostap has nice logging, but anything 
beyond that ?

e.g. with a bad psk on the client
  hostapd: ath0: STA 00:0b:6b:2b:bb:69 IEEE 802.1X: unauthorizing port

is there a way to black list MAC addresses, or just allow certain 
ones from even trying ?  IPSEC will be running on top, but I still 
want a decent level of security on the transport layer.


On the client I have

% cat /etc/wpa_supplicant.conf
network={
   ssid="testnet1"
   #
   psk="xxx"
}


% ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet 2.2.2.9 netmask 0xffffff00 broadcast 2.2.2.255
         ether 00:0b:6b:2b:bb:69
         media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/48Mbps)
         status: associated
         ssid mike1 channel 1 bssid 00:0b:6b:84:3e:76
         authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit
         txpowmax 49 bmiss 7 protmode CTS burst roaming MANUAL bintval 100


and the host

% ifconfig ath0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
         inet 2.2.2.1 netmask 0xffffff00 broadcast 2.2.2.255
         ether 00:0b:6b:84:3e:76
         media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
         status: associated
         ssid mike1 channel 1 bssid 00:0b:6b:84:3e:76
         authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit
         txpowmax 39 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100


% cat /etc/hostapd.conf
interface=ath0
driver=bsd
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=testnet1
macaddr_acl=0
auth_algs=1
#### IEEE 802.1X related config ####
ieee8021x=0
#### WPA/IEEE 802.11i config #####
wpa=1
wpa_passphrase=xxx
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP


         ---Mike



--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

On Monday 19 November 2007 10:43:13 am Mike Tancsa
wrote:
> I have been playing around with 3 ath based FreeBSD boxes and seem to
> have got everything going via WPA and a common PSK for 802.11x
> auth.  However, I want to have a bit more certainty about things
> working properly.
>
> What tools do people recommend for sniffing and checking a wireless network
> ?
>
> In terms of IDS, is there any way to see if people are trying to
> bruteforce the network ?  I see hostap has nice logging, but anything
> beyond that ?
>
> e.g. with a bad psk on the client
>   hostapd: ath0: STA 00:0b:6b:2b:bb:69 IEEE 802.1X: unauthorizing port
>
> is there a way to black list MAC addresses, or just allow certain
> ones from even trying ?  IPSEC will be running on top, but I still
> want a decent level of security on the transport layer.
>
When I looked in to this it seemed that the current state of affairs is that 
WPA can only be broken by brute-forcing the key.  I don't recall if that 
could be done 'off-line' or not.  My memory is that the needed info to 
attempt bruteforcing could be done by simply receiving....no need to attempt 
to associate to the AP was needed.   I'm not really interested in 
disseminating links to tools that can be used to break wireless security, but 
simple google searches will give you the info you need.....and the tools are 
in the ports tree for the most part.

Fortunately WPA allows keys that put even resource-rich attackers in to the 
decade range to bruteforce.

-- 
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20071119/e6a55197/attachment.pgp