Using my PPC for wireless network auditing

[tootights]

Using my VX6800 while I was in Costco the other day got me to thinking about the possibility I could cook a rom that would be geared toward network security. I decided to flip on my wireless ap scanner that I have cooked into my current rom, I ended up picking up 20 networks 2 of which were lacking any authentication and declaring default configurations. It got me wishing I had something like Backtrack to load onto my ppc.

Of course I'm SURE that SOMEBODY has already thought of this and probably done it, maybe even perfected it? Such a hand held device would be useful in certain applications of security auditing.

?

[prodiem]

As a Wireless Network Administrator, I have experience in that the PPC and Smartphone WiFi hardware has limitations.

First the Radios are unable to enter Promiscuous mode except on rare devices.

Promiscuous mode allows the software to see the raw encrypted packets unaltered, (no attempt at decoding)
Scanners like Ministumbler and WiFiFoFum are able to see the basic header info in these packets, (channel, SSID, Encryption Bit Flag, MAC address, and radio Stats) but that is all. They are unable to see or attempt to see extended stats like Packet retransmits, or packet corruption stats, (the radio drops them and does not forward them to the software.)
This is how the WiFi industry has been securing to some degree Wireless networks, if you need to scan you need a licensed radio. Some WiFi chipsets only need a software bit to unlock them, (some Atheros), but most are hard locked out.

Second the antennas are weak and unknown directional, usually mostly omni-directional, but there is always a peak somewhere.

This time the antenna is annoying when pinpointing where an AP or Client is. Say you are on a school campus, trying to find a rouge hacker laptop. You know what AP they are connecting to, but not where from. Using a PPC that is unlocked Promiscuous mode you can see the hacker and signal strength. With the default omnidirectional antenna you have to walk around and sweep the area playing hotter and colder till you find the hacker. Such obvious movement would alert the hacker and they would kill the attempts.
With a directional antenna, you can point the antenna in one location to the hacker, then move 50-60 feet away and triangulate the hacker, taking much less time.

Also if installing a new AP with a directional antenna you can measure more accurately how the signals are being transmitted. (bouncing off walls because stucco lathe is acting like a mirror)

Third and lastly we look at Spectrum analysis.

This is the cool tool, it is also a great troubleshooter, looking for echos interference from microwave ovens, strange quasi-"bluetooth" phone headsets (plantronics), airport radar, and a pacemaker(true, scary, and funny story).
These are very specialized radios, that look at the WiFi spectrum as only a radio would, sweeping the channels in rapid succession and on an individual subchannel range. Over a period of a minute or two the WiFi and other Radio interference develop, allowing analysis of what is going on. (Usually broken down into 2-3 hours of moving and scanning, and 10-60 minutes of analysis and diagnosis)

I have had to rely on WiFiFoFum in a pinch to troubleshoot while I'm there just poking around, and ususally it's enough for the easy problems, (30 AP's in the apartment complex all on channel 1)
But with some simple and relatively cheap tools I can go further and really make things work, the only problem is they are all for my laptop.
Here is who I know with products out there.... (for some fun poking around)
Berkley Varitronics Systems Hanheld PPC based sleve scanners.
CACE Techologies AirPcap USB Wireless Permicuous mode device, I have the EX modle and an external antenna (small dish with handle).
metageek Wi-Spy 2.4x Simple Spectrum analisys, perfect to do most everything if you are patient enough to wait.

Use laptop while standing (doesn't help with reading screen in the sun)

Hope this helps clear up why these powerful phones can't do this stuff.