Foil Wireless Poachers and Have Fun Doing It
A lot of folks have an unhealthily casual attitude towards securing their wireless networks. "Oh, it's nice to share" some say. Others think "I have nothing to interest a cracker, so why bother?" Both attitudes are inviting trouble. There is nothing to be gained from leaving your systems open to be used as warez, porn or mp3 servers, or Borged into a spam botnet. Or to find yourself struggling with slow network speeds because some freeloading hog is overloading your bandwidth.
It is nice to share, and it is wise to protect yourself. Smart network admins who really really want to share set up a separate subnet for sharing, securely wall off their LANs from whatever wandering moocher latches on to their signal, and throttle the bandwidth. (See Resources to learn how to do this). Smarter admins, in this era of the MAFIAA, porn cops, and terrorists under every keyboard, don't share at all.
But those are the boring, old-fashioned methods. Today we're going to look at some ways of having a little fun with wireless freeloaders, and how to see who is doing what on your wireless LAN.
"I could encrypt it or I could have fun"
Peter Stevens, brilliant inventor of the Upside-Down-Ternet, kindly published the scripts he uses to torment wireless freeloaders. They invert images, turn images upside down, or re-direct moochers to Kittenwar.com, no matter what URL they try to access. You'll need iptables, Squid, Perl, DHCPD, and ImageMagick to make this brilliantly wicked scheme work.
Mr. Stevens' scripts are easily adaptable–you don't have to be an ace scripting guru to make simple modifications. If you don't like Kittenwar, substitute the IP address of a different site. Like this example that steers your freeloaders to Vegemite.com:
/sbin/iptables -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -j DNAT --to-destination 126.96.36.199
You'll want to use the source subnet and netmask that you have dedicated to sharing with freeloaders. Vegemite.com will educate visitors about this healthy, delightfully smelly, spreadable food thingy. The possibilities with this simple re-direct are endless. You could use your own custom Web page that delivers a warm, personal greeting, or send them to FBI.gov.
Messing with images on Web sites is more subtle, more evil, and more fun. Mr. Stevens shows how to use the mogrify command (which is part of ImageMagick) with the -flip and -blur options to distort the Web sites visited by your poachers. -blur is especially fiendish, because they'll think it's a problem with their eyes, their video cards, their monitors- anything but the real cause.
To make this work, you need to be running Squid as a transparent proxy. Then delete the Kittenwar iptables rule and replace it with a rule that directs poacher traffic to your Squid proxy:
/sbin/iptables -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1
Change the --to-destination value for your own proxy server. Some of my favorite mogrify options for this are:
"/usr/bin/mogrify", "-swirl 30"
"/usr/bin/mogrify", "-charcoal 10"
"/usr/bin/mogrify", "-paint 10"
These are all beautiful and artistic, and will impress and amaze. These examples show the correct syntax to use in the
redirection script. To test mogrify on the command line, first make copies of the images you want to alter, because mogrify overwrites them without making backup copies. Then use it like this:
$ mogrify -swirl 30 [imagename]
mogrify -help displays all the dozens of options. For mogrify options that take numerical values, some trial-and-error will find the ones most pleasing to you. For example, -swirl 30 means "twist the image 30 degrees". charcoal takes a radius value, and I have no idea what that means. I just try different values to see what happens.
Some admins think that using frightening SSIDs (service set identifiers) scares freeloaders away. Like FBI_FieldOffice, Honeypot, YouHaveBeenHackedHAHAHA, or Mordor. I think it's silly, but it does no harm as long as your real security is sound. Sometimes psychology is more powerful than technology- proof of this is how I cured my snoopy neighbor of spying on me with binoculars. Every time I spied on him with my binoculars, all I saw was him looking back at me. So I hung up a picture of a giant eyeball with the caption "Hello Neighbor! I C U!" in my window. Haven't had a problem with him since.
Who Is On Your WLAN?
Tips and Tricks for Linux Admins: Discover, Map and Store shows a number of ways to see who is actually using your network. If they have gotten as far as getting an IP address, you can hunt them down and kick them off. Then figure out how they got on in the first place.
The tricky bit with wireless LANs is anyone within range can easily intercept and sniff your packets. They don't need a physical connection to your network, and they don't need any special expensive gear. Wireless sniffing is cheap and easy. Which is why I nag about using encryption and authentication. WPA2 is easy and it works. Don't cry about having to buy new gear; locking the door is a lot cheaper than recovering from an intrusion.
Kismet is the wireless sniffer of choice for ace Linux geeks, because it is undetectable and because it finds everything. Use it to find rogue (not rouge!) access points, rogue users, and to view your site the way an intruder sees it.
There are two ways to use Kismet: on a laptop as you wander around your site, or you can set up a network of Kismet spies that report back to a central server. Kismet is easy to use as long as you have a wireless NIC that supports rfmon, or raw monitoring. Read the Kismet documentation for a list of supported WICs.
Most Linux distributions include Kismet, so it's just a yum install kismet or apt-get install kismet away. Before you fire it up for the first time, you'll need to edit /etc/kismet/kismet.conf. First uncomment this line, and add your user name to it:
Then modify the source= line for your wireless network interface. It needs source=type,interface,name. The Kismet readme has the information you need for the type field in the "Capture Sources" section. So for my Atheros A/B/G it looks like this:
This example monitors the B/G frequencies. The name field is anything you want; in this example it's the hostname of my computer. Now you can open a terminal and run Kismet:
It opens into a ncurses interface. By default it starts in autofit mode. You can't run any commands in this mode, so hit s to change it to something else. Press h at any time to see contextual help window, q exits popups and the current window, capital Q exits Kismet.
Even with just this little bit of fooling around with Kismet you should be both impressed and alarmed at what it finds. Come back next week to learn more excellent ways to use Kismet, and how to boot unwanted users off your network.
- Build a Secure Wireless Portal with Linux
- Build a Linux-Based Single-Board WAP (Part 4)
- Catch (But Don't Release) with Squid Web Proxying
- Linux Advanced Routing & Traffic Control