Stumbled on a Nomadix Gateway

[pseudobreed]

I happened to stumble on a nomadix gateway the other day and I was in kind of an awe as to how secure it was for a wireless solution. The box also runs a bunch of services that are really easy to setup. More info here (PDF).

Does anyone else have experience with this type of gateway, or know of any others like it? I have a client really pushing to get wireless connectivity and I have always held a firm no on the subject. However, I have not been keeping track of the security advances on wireless devices.

[stingwray]

Waste of money in my opinion. Really the only secure wlan is one which requires a VPN connection to the network in question.

Other than that any public hot spot wlan can't be secure because the features needed to make it secure are two time consuming to set up for the public to come and use it. A good captive portal and radius sever will stop people 99.9% of people from stealing the internet, but if its not in your T&C that you cannot be held responsible for loss of security then you are an idiot.

[pseudobreed]

I understand all that, however, these gateways are pretty much used for public areas.

Here is an example. Downtown they offer free wifi in select locations. Some of these places use this nomadix gateway. I got on one just see what is so special about them. Once you connect, your domain name changes to Nomadix.com and trying to go to that site redirects you to a terms agreement that will not allow you to do anything on the network until you agree.

When I did a scan for host, the gateway dumps out a list of spoofed mac address. However, it only dumps mac/ip's that are not being used. So, if I have IP 10.198.16.118, my list from nmap will not have .118 responding. The gateway filters out macs, and any other type of specified packet/service (ie ping).

Firing up Wireshark you can still see the network traffic as if you were on a switched network, however MitM type of attack is now harder as you dont know the MAC address.

Checking out the ports open on the gateway comes to about 25 different services on this one gateway. Just looking at headers alone, it's pretty much just smtp, pop, ssl, proxy, web server, wol, etc.

I did not get much time to check it out, however, later Im going to get an external IP and see what I get from the outside.

[stingwray]

Nothing special there, although I really don't understand what you were going on about the nmap with the gateway. The gateway has nothing to do with with doing any network enumaration really.

It all sounds a bit odd really, if you wanted a secure public ap then vlans would be the way to go with each computer getting an individual one.

[burn]

I think the Cisco 1200 AP s offers individual vlans per connection and I think the WRT54G's do as well, unless it was a hacked one I was hearing someone talk about.

There's a coffee shop here that uses a Cisco 1200 AP. I did an NMAP scan and picked up the coffee shop's public computers, but not any of the other wireless users. I was able to do an HTTP MiTM and get clear-text passwords but all attempts at a SSL MiTM failed. I checked the public computers and their gateway MAC never changed (I didn't look at the gateway MAC during a normal HTTP MiTM). They also have wireless camera's setup there that didn't show up in an ARP scan or a ping sweep.

If you're looking at a secure way to offer public wifi perhaps you can look at the Cisco APs. I think they're rather expensive, though. Or maybe you can do a captive portal like NoCatAuth and a RADIUS server on a hacked WRT54G.

I've never heard of the nomadix brand.

[pseudobreed]

@stingwray

I really didnt care about the users on the network, my concern was the gateway. And, the nomadix can make a max of 16 vlans that have individual rights to access any other vlan.

Also, Im not sure how you are supposed to enumerate the network if the gateway will not allow you do anything. Nmap & Nessus came up with nothing. ARP didnt work, as when watching the packets via Wireshark, the gateway sees the ARP command, then reverts it back to what it was before. Im not sure why it just didnt ignore the ARP request in the first place. This is when I focused on the gateway. Im pretty sure the only way I would be able to get anything out of the network was to find a service on the gateway that was insecure and go from there. Unfortunately I ran out of time to play around.

@burn

Thanks for the info. Last I heard I think the nomadix was running around $1,400. I will have to check out the NoCatAuth & RADIUS setup. However, the nomadix claims that it has a dummy proof web interface, which would be nice for the not so savvy client. Then again PIX has a "dummy proof" web interface also, and that gives them headaches.

[Shiva]

Firing up Wireshark you can still see the network traffic as if you were on a switched network, however MitM type of attack is now harder as you dont know the MAC address.

use Aircrack yu'll get IP address & its corresponding MAc address

[pseudobreed]

Wireshark does the same thing. You just have to drill down a little bit.

The only issue I was having was getting a good MitM application.

Cain & Abel

-------------

.. Good:

.... Supports SSL

.. Bad:

.... Can not manually add host to host list

Ettercap

-------------

.. Good:

.... Can manually add host to host list

.. Bad:

.... Does not support SSL on Windows (Or at least I can not get it to work)

[burn]

@Shiva

Actually, it's airodump (but you're right in that it is part of the Aircrack suite) that shows you what MAC addresses are with the AP and yeah, it gives you the list a lot quicker than Wireshark can.

@pseudobreed

Some older versions of Cain let you manually select your hosts.

As for SSL MiTM with Ettercap, the Linux version works great! 8)

[AgentGPF]

Nomadix, IP3 (recently quit making product due to Nomadix suing them for ~18 months), Solutions Inc., AntLabs and a few others I'm sure - are Linux routers usually with a solid state disk drive in a 1u rackmount unit. So basically these are PC routers that are made as gateways for hotels and hotspots, 100+ user environments.

One of the ports will offer secure login, IP3 is 8443, there are also ports which help get certain trouble users past certificates and things like that.

[digip]

Nomadix, IP3 (recently quit making product due to Nomadix suing them for ~18 months), Solutions Inc., AntLabs and a few others I'm sure - are Linux routers usually with a solid state disk drive in a 1u rackmount unit. So basically these are PC routers that are made as gateways for hotels and hotspots, 100+ user environments.

One of the ports will offer secure login, IP3 is 8443, there are also ports which help get certain trouble users past certificates and things like that.

Wow. You resurrected a 3 year old thread.

Thats more than a day late and a dollar short...While the info you provided is good to know, I think the OP who posted the question might have found a solution between then and now.