Access Point Management Utilities
Although access point manufacturers usually provide necessary configuration utilities, or, most likely, the access point will have an easy-to-use configuration interface accessible via a casual Web browser, there are some utilities that can come in handy while auditing access point security.
Our favorite set of such tools is Wireless Access Point Utilities for UNIX (ap-utils) by Roman Festchook, which allows both configuration and monitoring of access points from a UNIX machine via the SNMP protocol. Ap-utils support most Atmel chipset-based access points with ATMEL Private MIB. No Wires Needed APs (IEEE 802.11 MIB and NWN DOT11EXT MIB) are also supported. The list of access points supported by ap-utils is included in the utilities README file and is quite extensive, including common access points produced by Linksys, Netgear, and D-Link. All you need to do is to launch ap-config, enter the IP address of an access point, and know (or guess) the appropriate SNMP community. Ap-config allows you to undertake a huge range of activities, ranging from searching for connected access points to enabling or disabling antennas in addition to the following:
Hide ESSID in broadcast messages Enable device test mode Get information about the AP software and hardware Dynamically update Ethernet and wireless ports statistics List associated stations and visible APs (with an option to save MAC addresses of current associated stations to file) Execute other supported commands on the AP
It can save you a lot of time spent with snmpget, snmpset, and Co (besides, Net-SNMP utilities do not provide friendly ncurses-based interfaces). Apart from ap-config, ap-utils include ap-mrtg and ap-trapd. Ap-mrtg gets statistics from ATMEL-based access points and returns the output in the Multi Router Traffic Grapher (MRTG) format. Ap-mrtg can get and show Ethernet statistics in bytes, WLAN statistics in packets, and the number of associated hosts and link quality and signal strength statistics from AP in a client mode. Although these parameters are not directly security related, they can be helpful in determining the general WLAN health and baselining WLAN traffic, which helps in detecting anomalies on your network, DoS attacks, or bandwidth theft. Ap-mrtg includes the following options:
arhontus:~# ap-mrtg -h
Usage:
ap-mrtg -i ip -c community -t type [-b bssid] [-v] [-h] [-r]
Get stats from AP and return it in MRTG parsable format:
-i ip - AP ip address
-c community - SNMP community string
-t type - statistics type <w>ireless, <e>thernet, associated <s>tations or <l>ink
quality in client mode
-b bssid - mac address of the AP to which get link quality, only if type=l
-v - report MRTG about problems connecting to AP
-r - reset AP when getting LinkQuality stats
-h - print this help screen
Ap-trapd is a daemon to receive, parse, and log SNMP trap messages from access points. It interfaces with syslog (logging level 0) and can log the following common SNMP traps:
Trap Reassociation:
This trap message is sent when a station reassociation request is received from an access point.
Trap Association:
This indicates the reception of an association request packet and the sender station's successful association with the access point.
Trap Disassociation:
This trap message is sent when a disassociation notification packet is received from a station.
Trap Reset:
This trap message is sent when an access point resets.
Trap Setting IP Address with Ping:
This trap message is sent when the access point IP address is set with the transmission of a ping message.
Trap Start Up:
This trap message is sent when the access point starts up.
Trap Failed to Erase Flash:
This trap message is sent when an access point failed to erase flash.
Some of these traps provide security-relevant information, for example, Trap Setting IP Address with Ping and Trap Disassociation. Ap-trapd can be run with ap-trapd [ -i device ] [-u user ] options that allow you to specify the device to listen for traps (Linux only) and set an unprivileged user for ap-trapd to run as (the default is "nobody").
Apart from ap-utils, there are several other useful access-point-specific configuration and monitoring utilities. For example, SNR is a Perl tool that collects, stores, and shows SNR changes for Lucent access points using SNMP. You'll need librrds-perl, libunix-syslog-perl, libappconfig-perl, and libsnmp-perl libraries to install and run SNR. For tweaking with Apple AirPort access points there is a Python Airconf utility, which was tested under different flavors of UNIX with Python 2.2, but should also work with Python 2.x on MacOS 9, and Microsoft Windows. To install Airconf, do:
arhontus:~# install -c -m 755 -d airport_aclupdate /usr/local/bin
arhontus:~# install -c -m 600 -d airport.acl /usr/local/etc
arhontus:~# install -c -m 600 -d airport.bases /usr/local/etc
arhontus:~# python setup.py install
arhontus:~# rehash
The major feature of Airconf is configuring the access control lists on several Apple AirPort Base Stations at once. Airconf can also be used for specific detection of the Apple AirPort Base Stations (white and graphite) using the python airport_detect.py <broadcast> command as well as reading, printing, and remotely changing their configuration (only graphite). Another tool you might want to use for controlling and monitoring Apple AirPort access points is airctl. Before using it, check that the correct address and port number for your AP are placed in the airctl preprocessor directive.
|