wireless antenas and amplifiers

Antennas Security-wise, antennas and amplifiers give an enormous edge to both the skillful attacker and defender. From the attacker's perspective, antennas give distance (resulting in physical stealth), better signal quality (resulting in more data to eavesdrop on and more bandwidth to abuse) and higher power output (essential in Layer 1 DoS and man-in-the-middle attacks). From the defender's perspective, correctly positioned antennas limit the network boundaries and lower the risk of network detection while reducing the space for attackers to maneuver. In addition, three highly directional antennas in conjunction with mobile wireless clients, running signal strength monitoring software, can be used to triangulate the attacker or a rogue wireless device. This is, of course, dependent on the attacker actually transmitting some data. A self-respecting wireless security company should be able to provide the triangulation service as a part of an incident response procedure. Unfortunately, this is not usually the case. Before we provide suggestions on antenna use in wireless security auditing, a brief overview of antenna theory basics is necessary. If you are an RF expert you can safely skip the intermezzo and move forward. The RF Basics: An Introduction to the Antenna Theory There are two main characteristics in antennas: gain (or power amplification) provided by an antenna, and beamwidth (which shapes the antenna coverage zone). In fact, it makes sense to look at the zone of coverage as a third variable, because side and back beams of some antennas are difficult to describe in terms of beamwidth. You should always demand the antenna irradiation pattern diagram from the vendor to assess the shape of the antenna irradiation (if only approximately). A future site survey will show how closely the provided diagram corresponds to the truth. We have collected diagrams from some vendors in Appendix C for your convenience as well as an aid to understanding the distinctions between different types of antennas. Another often overlooked antenna characteristic is the antenna polarization, which can easily be changed by altering the antenna position. An antenna's gain is estimated in dBi because it is referenced to an abstract isotropic irradiator, a fictional device that irradiates power in all directions (a star is an example of such a device). It is defined as passive because no power is injected by an antenna. Instead, the gain is reached by focusing the irradiated waves into a tighter beam. The beamwidth can be both horizontal and vertical; never lose the 3D perspective! There are three generic types of antennas that differ by irradiation pattern and beamwidth and can be further divided into subtypes. These types include: Omnidirectional antennas Mast mount omni Pillar mount omni Ground plane omni Ceiling mount omni Semidirectional antennas Patch antenna Panel antenna Sectorized antenna Yagi antenna Highly directional antennas Parabolic dish Grid antenna Omnidirectional antennas have a 360-degree horizontal coverage zone and reach gain by decreasing the vertical beam. The irradiation pattern of an omnidirectional antenna resembles a doughnut with the antenna going through the doughnut's hole. The ground plane antennas (and some ceiling mount omnidirectionals with a ground plane) prevent the irradiation from spreading downward or upward. For the magnetic mount omnidirectionals loved by wardrivers, the car serves as the ground plane. A typical use of omnidirectional antennas is providing point-to-multipoint (hub-and-spoke) links for multiple clients or even networks, using semidirectional antennas for multiple connections to a powerful central access point hooked up to an omni. Semidirectional sectorized, patch, and panel antennae form a "bubble" irradiation pattern spreading in 60 to 120 degrees in direction. They are frequently used to cover an area along a street or a long corridor; sectorized semidirectionals placed in a circle can act as a replacement for an omnidirectional, having the advantage of higher gain and vertical bandwidth (but at a higher price). Yagis form a more narrow "extended bubble" with side and back lobes. A typical use for a yagi is establishing medium-range bridging links between corporate buildings as a very cheap alternative to laying fiber where the CAT5 with its 100 m limit for 100BaseT Ethernet cannot reach. Highly directional antennas emit a narrowing cone beam capable of reaching the visible horizon and are used for long-range point-to-point links, or where a high-quality point-to-point link is required. Due to their usually high gain, directional antennas are sometimes used to blast through obstacles such as walls when no other alternative is present. Sometimes the antennas take rather bizarre shapes (e.g., flag yagi), sometimes they are well-hidden from prying eyes (many of the indoor patch or panel antennas), and sometimes they look like fire alarms (small ceiling-mount omnis). Spotting wireless antennas is an important part of a site survey, which might help you determine the overall shape of the wireless network before turning on your monitoring tools. Pay particular attention to the back and side lobes, such as the ones in yagi's irradiation patterns; the network might span somewhere the system administrator without knowledge of RF basics might never expect it to be. When selecting your antennas for wireless security audit, a decent omnidirectional and a high-gain, narrow-beamwidth antenna are the minimum. We usually use 12 dBi omni and 19 dBi grid directional, but you should pick the antennas that suit you best. An omnidirectional comes in handy when surveying a site, looking for rogue access points, analyzing traffic from several hosts positioned in different directions, and monitoring the area for unauthorized or suspicious traffic or interference. You should always keep in mind that with a higher gain the "doughnut" becomes flatter, and while using a higher gain omni you might not discover wireless hosts positioned below or above the coverage zone (e.g., hosts in the same building but on different floors). On the other hand, a lower gain omni might not be sufficiently sensitive to pick these hosts up. This is a possible case for using a semidirectional antenna (we use 15 dBi yagis). Alternatively, you can do a thorough scan with a narrow beamwidth directional, but remember both horizontal and vertical beamwidth planes! When it comes to the use of directional antennas, there are several obvious advantages: You can check how far a well-equipped cracker can position himself or herself. You can blast through walls and see how much data leaks through. It is essential for trying out jamming and certain man-in-the-middle attacks. It is vital for determining the attacker's position. Some networks can only be discovered using a decent gain directional (or semidirectional). These include the WLANs on the top floors of very tall buildings. There is considerable information (even in the popular media) on making your own antennas from Pringles tubes, empty tins, and so forth. Although it is a cool hardware hack and worth trying in your free time, we do not recommend using these antennas in serious commercial wireless penetration testing. Their beamwidth, irradiation pattern, gain, and some other important criteria, such as voltage standing wave ratio (VSWR; should be approximately 1.5:1) are rarely verified and the performance can be unreliable. Of course, there are cases when homemade antennas beat the commercially built ones by a large margin. Nevertheless, properly quantifying the do-it-yourself antennas parameters just listed is difficult and expensive, which makes defining and documenting your site survey results difficult. At the same time, it is easy to get a decent 2.4–2.5 or 5.15–5.85 GHz antenna for a very reasonable price but there are many other affordable online WLAN antenna stores). RF Amplifiers Whereas the antennas achieve passive gain by focusing the energy, amplifiers provide active gain by injecting external DC power into the RF cable. This power is sometimes referred to as "phantom voltage" and is carried by the RF cable from a DC injector to an amplifier. There are two types of amplifiers: unidirectional (which only increase the transmitting power) and bidirectional (which improve the receiving sensitivity as well). In addition, both amplifier types come as fixed or variable gain devices. For a network design purpose, fixed power gain amplifiers are recommended for overall stability reasons and because all necessary RF power calculations should be done prior to the network deployment and you should be aware of your network power needs. Traditionally, amplifiers are deployed to compensate for loss due to significant cable length between an antenna and the wireless device. It is unlikely that you will need one in your penetration testing procedure, as it is cheaper and more convenient to use a highly directional antenna. However, if you have additional cash to spare, you might want to purchase a bidirectional amplifier to use in conjunction with the directional antenna for typical power-demanding security experiments such as long-distance connectivity and traffic analysis, or jamming and Layer 1 man-in-the-middle attacks. Unlike the actual network design case, variable gain amplifiers are recommended for testing purposes, security testing included. For example, you might want to tweak the amplifier power to find at which EIRP a Layer 1 man-in-the-middle or DoS attack will succeed. The main problem with using amplifiers for security evaluation is providing a mobile power source. For this reason, amplifiers are rarely used by casual attackers. However, the use of one by a determined stationary attacker cannot be excluded.