NarkNet

Nark [verb] slang - to serve or behave as a spy or informer
Net [noun] a computer network
Contact FAQ About Home W-Fi Channels
± Where can I get a copy of the NarkNet presentation slides?

You can get a copy of the NarkNet presentation slides here on my Georgia Institute of Technology College of Computing home page.

± Why do you use the ip and iw commands in the NarkNet presentation?

When people read the NarkNet presentation they notice that the demonstration uses the ip and iw commands rather than the traditional ifconfig and iwconfig commands. This is because the net-tools suite has been deprecated and superseded by the iproute2 suite.

Here are some articles I found helpful in learning how to use the iproute2 suite tools.

Deprecated Linux networking commands and their replacements Doug Vitale Tech Blog

IPROUTE2 Utility Suite Howto

ip(8) man page

IP Command Reference

Linux and Unix ip command and examples

iw Documentation

iw(8) man page

Linux Advanced Routing & Traffic Control Howto

Wireless network configuration

Wireless Operating Modes

± Shouldn't it be spelled narc?

Nark is from the 1850s and means to serve or behave as a spy or informer. Narc is short for narcotics agent and came into use in the 1960s. Given what NarkNet does I felt Nark fas a better fit. I sifted through hundreds of potential names before choosing NarkNet. I want to thank all my friends, family, and the members of DC404 (the local Atlanta DEF CON chapter) who suffered through the process of choosing a name.

± Why did you create NarkNet?

NarkNet is the most effective tool I have found for convincing people they need to change their online computing habits. I have been providing security training for many years and noticed that most people don’t change their computing habits despite what appears to be compelling and clearly articulated reasons.

An attendee of the 2009 Electronic Frontier Forums track at Dragon Con saw my demonstration of wireless network surveillance and asked me to do the demonstration at the 2010 Georgia Education Technology Fair (GaETF). GaETF attendees consist of grades 3-12 teachers, students, and their parents. I was surprised by the level of interest and the number of requests by attendees for instructions on how to protect themselves online.

In October 2010 Eric Butler released the sidejacking tool Firesheep which resulted in a media firestorm. The media’s response to Firesheep seemed unusual given that the problem illuminated by Firesheep has been around since 1994 and there were numerous other tools that had been released prior to Firesheep with similar functionality.

I wanted to know why people were reacting the same way to my wireless network surveillance demonstration as they had to Firesheep.

I found the answer in the paper “Folk Models of Home Computer Security” by Professor Rick Wash of the Michigan State University Behavior Information Technology Lab.

Professor Wash’s paper shows that people have a folk model they use to determine if new information applies to them. This means that people receiving compelling and clearly articulated reasons for changing their information security habits erroneously reject the message not because they don’t understand what they are being told, they dismiss the information because their folk model tells them it is not applicable to their circumstances. This is when I realized why Firesheep received the media response it did. Firesheep, unlike its predecessors, was so simple to use that the media and general public said, “I could even use this”. Firsheep had successfully bypassed people's broken information security folk model and they believed it applied to them. This was the same response I was getting to my wireless network security demonstration. People believed that the threat applied to them and they wanted to know how to protect themselves, NarkNet was born.

The original demonstration required a physical network connection to the wireless network access point up link. I felt the NarkNet demonstration would be even more powerful if it could all be done passively with off-the-shelf software without requiring a physical network connection. After a bit of research I discovered that not only was passive wireless network interception possible with free off-the-shelf software but the capability had been around for many years, this lead to NarkNet in its current incarnation.

± Does NarkNet use any custom software?

No custom software is used to passively intercept wireless network traffic. I use a custom PHP script to format the captured data and display it within a web browser but the script is not required to capture data. If you can download a Kali Linux ISO image and burn it to DVD , have a Linux compatible computer, and wireless network adapter that supports monitor mode, you can do the same passive wireless network interception as NarkNet.

± Can wireless network interception be done using Windows or OS X?

airtun-ng from the aircrack-ng tool suite is required to do real time passive wireless network interception. aircrack-ng does not officially support any versions of Windows however it can be compiled from source. OS X is supported but also requires compilation from source. Kali Linux is a live DVD that already has the aircrack-ng tools installed making it possible to boot a Windows or OS X based system from the DVD without having to install any software or make changes to the installed hard drive.

± Why use Kali Linux?

Kali Linux is a popular free penetration testing live DVD based on Debian Linux that comes with all the tools necessary to do wireless network interception and analysis already installed. You can use any distribution of Linux as long as it comes with the necessary tools or you’re willing to install the tools yourself.

± Why is it necessary to use airtun-ng?

When you place a wireless network adapter in monitor mode the packets received still have radiotap headers. Most of the automated tools used for analyzing network traffic are designed to work with Ethernet packets and don’t know how deal with radiotap headers. Wireshark is an open source network sniffing tool that understand radiotap headers but it is cumbersome to use when doing bulk analysis of wireless network traffic. airtun-ng from the aircrack-ng tool suite will take the packet stream from the monitor port, strip the radiotap headers, and create another network interface with just the Ethernet packets which allows you to use all the automated tools to analyzing wireless network traffic in real time.

± What is a radiotap header?

The information to be transmitted over a network between computers is split up and put in packets. An Ethernet header is attached to each packet and is used by the TCP/IP stack to manage the communications between computers. This is similar to how an address label on a letter is used by the Post Office to manage the delivery of a letter between people. When Ethernet packets are sent of over a wireless network a radiotap header is added to each packet to allow for management of the communication between wireless network devices. When a wireless device is ready to put a packet back on the wired network the wireless device strips the radiotap header and puts the packet with its Ethernet header on the wired network for delivery.

± Is there any way to detect the use of NarkNet?

When NarkNet is setup properly no wireless network traffic is transmitted so it is not possible to detect that NarkNet is intercepting traffic. However, using the information gathered by NarkNet to gain unauthorized access to systems or for sidejacking of social media sites is illegal and will require the transmission of packets over a wired or wireless network and would there for be detectable.

± Will NarkNet work with any wireless network adapter?

You will need a network adapter capable of monitor mode that is compatible with the type of network you are trying to intercept. As an example you can’t use an 802.11g adapter to capture 802.11a traffic. You will also require an operating system and network adapter drivers that support monitor mode. I recommend using a Linux compatible network adapter and Kali Linux .

± Is it possible to capture all the traffic for a given wireless network channel and not just a single wireless access point?

Yes, the monitor port will output the wireless traffic to and from all the wireless access points set to the same channel as the monitor port. You can then use airtun-ng to create a tunnel port for each access point you want to monitor.

± Is it possible to capture traffic for more than one network channel at a time?

Yes, you will need a wireless network adapter for each channel you want to receive.

± Is it legal to intercept wireless network traffic?

I am only going to cover United States law so this will not apply to other countries.

There is an exemption in the Wiretap Act regarding the reception of publicly accessible radio transmissions. Wi-Fi uses an unlicensed radio band so it has long been held that interception of Wi-Fi signals falls under the Wiretap act public radio transmission exception. However, the Google Street View case resulted in some courts ruling that Wi-Fi interception is a violation of the Wiretap act and others ruling that it is not a violation. Google has petitioned the Supreme Court of the United States (SCOTUS) to hear their case. SCOTUS denied their petition.

This all means that you may be brought up on Wiretap charges if you intercept Wi-Fi communications and you may be found guilty depending on which court in which your case is heard.

Using any of the information you intercept from Wi-Fi is a violation of United States Federal law and many U.S. State laws. This includes just logging in and/or taking control of (sidejacking) another persons account.

If you want to demonstrate passive Wi-Fi surveillance I recommend you used your own wireless access point, wireless clients, and Internet services accounts.

± By publishing NarkNet aren'ít you making the problem worse by showing the bad guys how to do it?

I did not invent the software that makes NarkNet possible. The bad guys already have the tools and know how to use them. Tutorials on interception of wireless network traffic have long been available for anyone willing to do a Google search. The question you should ask yourself is, what can you do to protect yourself from the bad guys despite them having tools like this?

± Wouldn't using encrypted Wi-Fi or a VPN protect my traffic?

The short answer is no. To protect your network traffic as much as possible (more about what that means later) you need to encrypt your traffic from end-to-end , from your computer all the way to the server .

Here's the long answer:

The premise behind encrypted Wi-Fi is flawed and is reflected in the initial Wi-Fi encryption method, Wired Equivalent Privacy ( WEP ). The designers believed that your traffic was safe on a wired network because the cables and equipment making up the network were protected from intruders .

We now know that government agencies like the NSA , GCHQ , and BND routinely capture and analyze Internet backbone traffic ( examples ). The only way to prevent wholesale data collection is to encrypt your network traffic from end-to-end.

There is no such thing as perfect security but we can make it as secure as is reasonably possible.

End-to-end encryption doesn't guarantee a government agency can't capture your network traffic; it just keeps them from doing it wholesale. With end-to-end encryption the government agency would have to install listening software or devices on the client, on the server, or in the service provider's machine room.

What about using a VPN ?

When you use a VPN your traffic is encrypted from your computer until it exits the VPN end point, from there to the server your data is no longer protected, potentially exposing you to wholesale government data collection. The only solution for this problem is end-to-end encryption.

Is there a valid use for a VPN?

Yes, it changes the origin of your network traffic. The server will see the traffic as originating from the VPN end point instead of your local network. Many of the servers where I work can only be accessed from the local network. The only way I can connect to them when I telecommute is to connect to the local network using the VPN which makes my computer look like it's on the local network.

The VPN also requires that I authenticate which insures that only authorized users can connect to the local network.

You should also be aware that courts have ruled that using a VPN to change the geographic origin of your traffic in order to access content that is region limited is a violation of the Computer Fraud and Abuse Act ( CFAA ).

If we encrypt our traffic from end-to-end, is there any point in encrypting Wi-Fi?

Yes, just not for the reason the original designers intended.

If you are encrypting your network traffic from end-to-end then encrypted Wi-Fi should be used to control who has access to your network.

Encrypting your traffic doesn't prevent attacks against the computers on your local network . Your computer can be compromised through misconfiguration , or a zero day , even if all your software patches are up to date. The best way to minimize attacks against the computers on your local network is to control which computing devices can be connected to your network.

The courts have historically held the registered owner of a network is responsible for all traffic originating from the network; this has been known as the " IP address equal person" rule . This is changing because in April 2011, Judge Harold Baker of the Central District Court of Illinois ruled that an IP address doesn't equal a person. District court rulings are not binding in all districts so if someone uses your network to violate the law you can still be held liable depending on which court hears your case.

There are many cases of people with an open Wi-Fi network being arrested and eventually cleared when the police realized the offending network traffic originated from a third party ( examples ). The key point is that the innocent network owner was arrested and charged , all their computer equipment was seized , their arrest and the nature of the charges were made public, and the network owner had to pay for legal expenses . You never know what they may find on your computers.

OK, so what does all this mean?

To protect your network traffic, encrypt it from end-to-end even if you are using a VPN. Encrypt your Wi-Fi network to protect the computers and devices on your network and to protect yourself from liability from third party network traffic.