Tuesday, February 15, 2005

Thoughts on the use of WMI and WDM in a managed environment

Beetle of the Shmoo Group has an excellent presentation (from ToorCon) called "Wireless Weapons of Mass Destruction for Windows". In the presentation, Beetle presents several tools and VB scripts that make use WMI and WDM to get detected SSIDs and received signal strength from 802.11 interfaces. This is a very interesting use of the Windows Management Instrumentation (WMI).

So let's say that you've got several wireless laptops running Windows XP located in different locations of your building. You use WAPs (of course) with specific SSIDs and security settings. However, you don't always have the time to perform your own warwalks to look for rogue APs, or to see if companies in adjoining offices have set up insecure APs.

Using WMI, wouldn't it be possible to run queries on your managed XP systems and get the necessary information, rather than walking around? In fact, these systems wouldn't even have to be dedicated...you could run the query against any system with a wireless adaptor (and I know I'm not taking chipsets into consideration at this point). Here's the scenario...you know where certain systems are located, for the most part...if the CEO, CFO, or Corporate Counsel is in, you know where his/her office is. There are other folks who are in on a regular basis, and are located in other areas...CIO, CTO, IT Manager, folks in finance, etc. You may even be able to throw the receptionist into the mix, depending upon your infrastructure.

So you run the queries against these systems...being known systems, you know the system names, as well as the names of the wireless interface(s) in the system. So, your script can connect to each one, enumerate all SSIDs, as well as information about each (signal strength, etc.) one. This way, you should be able to detect new APs, and potentially even triangulate their location.

This would also work equally well if the managed systems were in a different city...

Thoughts? Am I out of my freakin' mind here or what?

No comments: