If you don’t have Linux skills or convenient access to a laptop with Linux on it, then managing wireless networks has always been rather tricky. That’s because it’s virtually impossible to do many forms of wireless packet capture or packet injection under Windows, due to the way the Windows networking stacks have been designed. Many vital features of standard Linux wireless auditing tools — like Wireshark (formerly Ethereal) and Aircrack-ng — are simply unavailable in the Windows versions.
For Windows-based security auditing then, the choice has between running these limited versions of open source tools, or choosing one of the few proprietary — and pricey — Windows wireless auditing software packages from companies like Walnut Creek, CA-based WildPackets or New Zealand-based TamoSoft.
The good news is that Cace Technologies, a company based in Davis, California, now offers an inexpensive USB wireless device called the AirPcap Tx which unlocks the power of tools like Wireshark , Kismet and Aircrack-ng so that they work under Windows with the same feature set as the Linux versions.
“In terms of functionality, we can cover everything you can do in Linux or BSD, but with the advantage of running in Windows,” says Loris Degioanni, Cace Technology’s chief technology officer. “This is unusual, because normally you can’t get raw (wireless) frames from the Windows kernel,” he says.
Cace has a good pedigree when it comes to open source software – Gerald Combs, the company’s director of open source projects, is the creator of the original Ethereal packet capture and analysis project and now divides his time between the Wireshark project and Cace’s commercial activities.
“In making the AirPcap we have taken advantage of our experience with packet capture drivers,” says Combs. “The architecture we have come up with is pretty different from the standard capture drivers in Windows. In fact we don’t interface with the Windows networking stack at all – we bring a separate driver for our device. This gives us much more freedom in what the adapter does and how. Then we make an open API to interface with Wireshark and Aircrack.”
So the AirPcap lets you sniff wireless packets and capture raw 802.11 frames on Windows using open source tools — something which otherwise can’t be done. Actually, this is not quite true. It can be done using certain wireless cards, but only if you are willing to download and use unsupported and illegally obtained proprietary drivers from the likes of WildPackets. Clearly no ethical corporation would be willing to do this, but since black hat hackers no doubt would, the AirPcap at least puts those responsible for corporate security on an equal footing by enabling them to use the same Windows based tools without having to use illegally obtained drivers. (You could argue that “real” hackers would be using Linux, but Windows based tools undoubtedly appeal to script kiddies and wannabe hackers.)
But the AirPCap has a trick up its sleeve that can’t be performed with standard wireless cards: since most laptops have at least three USB slots, it’s possible to use three AirPCaps simultaneously to monitor three channels – typically the default channels 1, 6 and 11. The data from all the USB devices can then be aggregated into a single stream for analysis by Wireshark or other applications. “Essentially you see all three streams of data as a single capture device,” says Degioanni. “If you don’t do this, your monitoring software has to channel hop, so you only see 30% of the traffic on a given channel.”
Why would you want to monitor three channels at once? “Basic exit point detection is much more reliable without hopping,” he says. “Also, there are things you can only do if you are listening on multiple channels, like troubleshooting roaming difficulties when employees are moving from one wireless network to another.”
There’s one more thing that the AirPcap device can do that makes it very unusual: it allows the creation and injection of arbitrary packets onto a network. Although this is quite easy to do under Linux using patched drivers, in Windows this can otherwise only be done in a very limited way under Windows by stealing closed source drivers and cobbling together a solution – or by using expensive proprietary software packages.
The big question then, is how well does the AirPcap actually work? It’s supplied with versions of Wireshark and the Aircrack suite, and the packet capturing capabilities work well using both Wireshark and Airodump-ng, Aircrack’s packet capture application, capturing packets from various unconnected networks for analysis. Packet injection failed to work using the version of Aircrack’s injection software supplied with the device, but an updated version from Cace worked seamlessly to inject ARP requests, generating responses from an access point at least as fast an Atheros –based wireless card with patched drivers using Linux. The device is also supplied with Cain, a powerful Windows based password cracking and ARP cache poisoning tool much beloved by hackers and very useful for password security auditing purposes. Although the packet injection capabilities of the AirPcap don’t work with Cain, it is still useful for many other purposes including capturing WPA connection authorizations and subjecting them to brute force or dictionary attacks (the only known WPA vulnerability) to test their strengths.
Overall, what you get in the AirPcap TX is a $298 USB device which is ideal for wireless auditing on the Windows platform using open source wireless security tools. It’s certainly true that you can use the same tools under Linux with no financial outlay at all using standard wireless networking hardware, but for anyone responsible for wireless security who is unwilling or unable to use Linux, the AirPcap means that it’s now perfectly viable to use Windows instead.