AirSnare Users Guide version 0.8
Initial Download and Setup
1) You will need a 802.11b (wireless) network card. If Ethereal works with your network card, AirSnare should do the same. (AirSnare will work on a wired network card).
2) The computer that is going to be running AirSnare must be associated with the Access Point. What this means is the computer must have it's wireless client SSID set to the same SSID as the Access Point. (Setting the SSID on the AirSnare computer to: ANY has also worked in LAB testing.)
3) You must have the WinPcap Library installed. If you are running Ethereal (the free sniffer software) then you already have this, if not you can download it from http://winpcap.polito.it/.
4) Download AirSnare and install it.
5) Start AirSnare. As long as you have the above installed you shouldn't get any errors.
What if I get an error?
Run-time error ‘-2147220992 (80040200)’: "Failed to load winpcap packet.dll. Please (re)install the winpcap packet capture libraries."
This is an easy one… Follow step 3 above and download and install the WinPcap Libraries.
Run-time error ‘-2147220982 (8004020a)’: Procedure PacketSetHwFilter failed Error Code = 0
This isn’t a good error. This is telling you that the software is having problems putting your network card into promiscuous mode. Basically your card isn’t compatible. Your only option is to try a different card.
Procedure packetGetAdapterNames failed error
This is a easy error......uninstall WinPcap of any version on your system and then via the start menu link Re-Install WinPcap to fix the problem.
AirSnare is running… now what?
The first thing you want to do is select your adapter from the list of installed adapters in the upper left portion of the AirSnare screen. If there are multiple adapters listed, make sure you select your current network adapter.
Once you select your adapter right click and select "Start".
Click start… If you get an error at this point it could be one of two things.
- You didn’t select the right network card in the list of adapters.
- Your Network Interface Card isn’t compatible (see above errors)
Press the "Start" button
So now we’re off and running. Tthe AirSnare screen may turn RED as it discovers new unfriendly MAC addresses. We’ll assume at this point you haven’t edited your Friendly MAC Address list. So, we need to populate your Friendly MAC Address list with ALL of the MAC addresses of the machines on your network, this includes:
- All personal computers on your network, Mac’s, PC’s, Etc.
- All internet connected game consoles (ie: Xbox, PlayStation, etc.)
- Your Routers MAC address (there may be a couple, the WAN port, The LAN port and the Wireless port if it is also a Wireless Access Point). This information can usually be found on the Status page or other configuration pages of the router.
- Network Printers or Print Server devices
- Any Wireless device (Laptop, iPaq, Tablet PC, etc.)
- Basically any device that connects to the Internet via your router or Access Point.
So, how do we get the MAC addresses of these devices?
For all Network Devices besides computers
On the bottom of most print servers, routers, switches, etc. there is a small label that says "MAC:************". This is your MAC (Media Access Control) Address and is specific to that device and that device only.
Manually Getting the MAC address.
On a Windows 95, 98 or ME machine go to the Start button then Run then type: winipcfg
Then hit enter. Select your network adapter in the top dropdown list and it’s MAC address will show up in the Adapter Address window, it will look something like 00-40-85-2D-43-E6. Write the number down carefully and avoid any typos.
On a Windows 2000 or XP machine go to the Start button then Run then type: CMD
Then hit enter, (or open up a Command Prompt window)
Then inside the command window type: ipconfig /all then hit enter
This will display your network adapters. Look for the line that says "Physical Address", again this will be in the format of 00-40-85-2D-43-E6, always 6 groups of 2 digits. Write these down carefully to avoid mistakes and enter them carefully to avoid typos.
On your broadband router or wireless access point it will be displayed on one of the status screens. Be aware that there will be multiple MAC addresses for your router 1 for the WAN port, 1 for the LAN port and another for the Wireless connection.
On other devices, you’ll have to dig around to find it. Check configuration screen, do a Google search on finding that MAC of your device, etc. If you can’t find it you can always connect to the internet from that device and watch the "Unfriendly MAC Watch Window", and if your checking mail from that device you should see =E-Mail=> or if your surfing the web you should see =WEB=> entries in the window. As long as you’re sure that is YOU causing those entries, then you can be pretty sure that will be the correct MAC address listed.
Once you have checked ALL the entries in the Auto_trustedMAC.txt file and are satisfied that you own them all, you can rename the file to trustedMAC.txt and save it.
Friendly MAC's List
Now that you have the list of MAC's of all of your devices you can go to your computer and start AirSnare. Go through your list of MAC's and the ones detected by AirSnare. When you see a MAC that you want to be on the Friendly MAC list, just right click and select "Add to Trusted". This will bring up a window that displays the MAC address and the description. Leave the MAC field alone since you want to add that MAC to the friendly list. In the description field you may put in the name of the network equipment that that MAC corresponds to. Then hit "OK" to add it to the Friendly list.
Now you can let AirSnare run and watch for unfriendly MAC addresses...
When AirSnare detects a MAC address on the network that isn't listed in the Friendly MAC list, it will sound an alert and change the background screen color to RED. At this point any traffic sent from that MAC address to the network will be logged in the Unfriendly MAC Watch Window (see to the top right). At this point you need to determine if the MAC address really is Unfriendly or if you just perhaps missed a device on your network somewhere.
You can lookup manufacturers by MAC address, which will help you determine what equipment this is, Vernon sent me the following links:
http://standards.ieee.org/regauth/oui/index.shtml - IEEE OUI Lookup. Enter the first 4 digits of the MAC address in the Search OUI box, for example if you entered: "0002a5" it would return: Compaq Computer Corporation
http://hacks.oreilly.com/pub/h/826 - Finding radio manufacturers by MAC address
An AirSnare alert can be cleared by going to the "Alarms" field and right clicking and selecting "Acknowledge Alarm"
Detected possible unfriendly MAC addresses window
Any MAC address picked up by AirSnare that isn't
The Unfriendly MAC Watch Window
This is where you can find out what the unfriendly MAC is up to. It will show you the source and destination IP address they are going to and the Source and Destination MAC Address. It will also identify common ports such as FTP, Telnet, e-mail, web, DHCP and other popular ports.
Write to log file button
If you want to save the information from the Unfriendly MAC Watch Window, rihgt click "Write to log file button". This will save the information to a file in the AirSnare directory under the Logs directory. File names are saved as *.TXT files.
Send NetMsg to button
First, in order for this to work the machine that the message is being sent to must be a Windows NT, 2000 or XP machine, or a Windows 95, 98 or ME machine with window messaging running.
The AirHorn Module
This is the piece of AirSnare that sends the message to the IP address indicated. The AirHorn Module automatically configures itself to send messages. To open the AirHorn module right click the MAC Address you want to send it to"Send NetMsg to" button in the Unfriendly MAC Watch Window. Now we have the AirHorn Window open.
This module will only work from a Windows NT, XP or 2000 machine!
The server, Send To, and Send From are all automatically configured when you open AirHorn. The Rceiving computer must have the Windows Internet Connection Firewall (ICF) and the messenger service enabled (both undone by Windows XP SP2). The sending computer does not need to have the Windows Internet Connection Firewall off and the messenger service enabled.
The Options Menu
Scan MAC Traffic - Tells AirSnare to include MAC packets in its scanning
Scan TCP Traffic - Tells AirSnare to include TCP packets in its scanning
Scan UDP Traffic - Tells AirSnare to include UDP packets in its scanning
Play WAV alert sound - Will play a WAV file alert over the PC speakers. You can change the WAV sounds by recording your own alerts and renaming them to the appropriate AirSnare WAV file alert sounds.
Send E-mail on alert - Sends an e-mail when an intrusion alarm is activated. This requires that the AirMail module is setup and configured properly. See AirMail Window below.
The Tracking menu
Just use the Track with AirSnare option. There are too many variables to get Ethereal to work. If it works for you, great, if it doesn't... use the AirSnare option it's much faster. Run Ethereal on another machine to capture packet data.
The Window Menu
This opens a window showing you all the DHCP requests that have taken place for this session.
Opens the AirHorn module window. This is described above under "The AirHorn Module"
In the options menu click the AirMail tab .
The first box is the address of your SMTP mail server. If you have one on-site just enter the computer name, if it is offsite or your ISP's then enter either the IP address or the DNS name. (i.e. mymailserver, 127.0.0.1, smtp.myisphost.com)
The second box is the To E-Mail Address, Enter the email address's that you want an alarm sent to via E-Mail when an un-authorized person cinnects to your Wireless Acces Point.
The third box is the From E-mail address, enter your e-mail address here. Next, fill in the To Name and the To E-mail address, the address where you want the alert to go to. The subject can't be changed, next enter a message for the body of the e-mail, something like "An intrusion has been detected on the network. Please see the AirSnare machine for further information."
The 5th box is simply what the message will say when you recieve it.
The Help Menu offers you the About option. This to me is the most important part as it explains the long hours that I put into this program and asks you to donate to the project to help keep it going and to support other developments like it. If you use AirSnare and find it useful I hope you'll make a donation. Thank you and please enjoy the program.
The AirSnare Forums are up and running. Please visit them and post any questions or stories of detection. Hopefully this will be a common place for AirSnare information and to share information and ideas on network security and intrusion detection you are using or are curious about. I think it will take awhile to get going but should be a good resource for AirSnare users.