CTF Example – Wireless Security

Each of SecureState’s previous Capture the Flag events has included a challenge in which participants were tasked with tracking down a specific wireless access point. There are many examples of the practical applications of being able to accomplish such a task. These include manually verifying potential rogue access points and signal triangulation (which is an entire science in and of itself).

The first step is to make sure we can see the network. The easiest way to accomplish this is to bring up the list of available wireless networks on one’s phone or laptop. The standard options will do for now. There is no need for specific tools just yet.

Figure 1 is just a default read-out from an Android phone. The second figure is a standard list from Windows 7.

android

Figure 1: Android WiFi Read-out

windows

Figure 2: Windows WiFi Read-out

 

 

 

 

 

 

 

 

 

 

While we could continue to proceed using the standard options, the process will be significantly streamlined if we use a specialty tool.

Wireless Tools

If you have access to an Android phone or tablet, I would recommend WiFiFoFum. This app will scan for wireless networks and display information about each including: network name, encryption type, and, most importantly, signal strength. By default, the application displays signal strength as the familiar WiFi bars. Your first step after downloading the app should be to go into the configuration menu and under RSSI (“Received Signal Strength Indicator”), select “Decibels.”  While it is possible to track access points (AP) with the bars, it’s not super precise.  Don’t worry about the Near or Radar tabs. They will not help you. Instead, return to the WiFi tab. The app displays wireless networks in order or signal strength and frequency of probe requests observed. The closer the RSSI value gets to 0 (less negative), the stronger the signal. As the signal gets stronger, the more likely it is that the distance is shrinking between the observer and the AP.

I’ve done some searching, but there doesn’t appear to be a decent WiFi signal strength finder app for stock iOS. It is possible to install WiFiFoFum through the Cydia Store if you have a jailbroken iPhone. The other option is to use a program like NetStumbler for Windows on a standard laptop. In either case, your process will generally be the same.

Walking the Room

The mistake most people make when trying to locate APs is the bee-line. When tracking down a wireless signal, don’t attempt to go straight towards the source. There are too many variables for a single point reader (ie: your phone or tablet) this to be a consistently effective strategy. Instead, start in the corner of a room. Walk slowly along the wall and take mental (or written) notes of the strength at multiple points along the wall. Then, do the same for a second wall perpendicular to the first. Treat the resulting picture (mental or otherwise) as a grid. find the points along both walls where the signal was the strongest. Find where those two points meet. If there was only one peak along a single wall, the AP may be in the next room over.

See the pictures below for some potential scenarios. The first example shows a single room with three long tables. The second scenario depicts a two room setup. Obviously, the real world is rarely this simple. But the basic technique never changes.

Figure 3: Tracking Wireless APs

Figure 3: Tracking Wireless APs

Final Thoughts

Don’t forget to think in three dimensions! In there are multiple floors, the AP may be above or beneath you. When the signal strength gets to -20 db or lower, you’re likely right on top of the AP! Remember to keep your eyes open and to use your hands to sift search; the AP could be hidden or out of plain sight! For more information on how signals bounce around, you can refer to an older post of mine on the basics of wireless!

patchwork

patchwork

Former military intelligence. Physical security and network penetration testing.
patchwork

Latest posts by patchwork (see all)