|
Penetration Testing
mailing list archives
RE: Dsniff'ng wireless networks
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Thu, 12 Jul 2001 14:12:24 -0700
If you haven't done so yet, take a look at the revisions
made for the next release of 802.11- specifically 802.11i
a number of interesting improvements in the standard with
regard to security. It has been significantly developed by
Jesse Walker who is definately competent.
Toby
-----Original Message-----
From: Dragos Ruiu [mailto:dr () kyx net]
Sent: Wednesday, July 11, 2001 5:48 PM
To: Michael H. Warfield; Bourque Daniel
Cc: pen-test () securityfocus com
Subject: Re: Dsniff'ng wireless networks
IMHO the Cisco 350 (not the weaker gain cousin the 340)
is _the_ card to get.... if for no other reason than you can
crank that transmitter to a rangeful but unhealthy and
battery frying three times the normal power rating of
other typical cards (30mW vs. 100mW) or right down to
a less unhealthy and battery saving 1mW with the
OpenBSD drivers (and it works fine for me in an indoor
residential setting at this minimal power level). As
far as I have tested none of the other cards/chipsets give
you any useful power controls beyond the mostly lame
keep the transmitter on for so many milliseconds
settings which mostly mess up your link without
much savings. Never mind the fact that you can
also use this card to break the shamefully bad crypto. :-)
"Who forgot to invite the cryptographers?", indeed.
cheers,
--dr
On Tue, 10 Jul 2001, Michael H. Warfield wrote:
On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote:
What about the claim by Cisco that the 350 couple with
their Cisco Secure
Access Control permit to each user to have it's own key
AND dynamic change
of thoses keys?
It's proprietary software on top of their cards. I'm still
waiting to see the software in action AND waiting to see
Linux support.
Till then, it's still vaporware. IAC, it's certainly NOT
what you are
going to find deployed in the field at this time.
There is also the SLAN project up at SourceForge with
is intended
to address the Wireless encryption problem. That has Linux
and Windows
clients and is also suppose to address this, and not just be limited
to Cisco cards.
-----Message d'origine-----
De: Michael H. Warfield [mailto:mhw () wittsend com]
Date: 9 juillet, 2001 21:08
À: ed.rolison () power alstom com
Cc: pen-test () securityfocus com
Objet: Re: Dsniff'ng wireless networks
On Mon, Jul 09, 2001 at 09:09:58AM +0100,
ed.rolison () power alstom com wrote:
Correct me if I'm wrong, but IIRC wireless lans are
effectively switched.
You are wrong... They are broadcast media and one station can
sniff another station as long as it can receive the RF.
Often, one
station might not be able to receive another stations RF
because they
are out of range of each other but not out of range of
the high-gain
access point antenna. But that is a far cry from
"effectively switched"
and is NOT something to rely on for security!
Each access point-NIC uses a separate encryption key
(there are weaknesses
but...)
You are VERY wrong. WEP uses a common shared key amongst ALL
of the stations. In order to move between access points within a
fully managed 802.11 network (multiple access points operating
in cooperation) then all the access points have to have the same
Network Name and WEP encryption keys. Most seem to
support 4 decryption
keys (Rx) and a single encryption key (Tx - One of the
four Rx keys)
but to have everything work uniformly, it would all have
to be identical
and it's ALL shared secrets.
and thus the NIC only 'sees' traffic being directed at it.
If that were true, then the WaveLAN sniffers would not be
very effective. In fact, they are VERY effective.
It seems also that it's quite hard to get them to enter
promiscuous mode
for
similar reasons - if
it's listening to all the traffic, then the encryption
breaks down.
1) It's a snap to get it into promiscuous mode. Tcpdump can do
it on Linux, no mods necessary. You see 802.3 (ethernet)
style frames
and encapsulation. The 802.11 framing is stripped before
presentation
to the application layer.
2) It's a little more difficult to get it into RF
Management/Monitor
mode. In fact, we don't know how to get some cards
(Lucent, Cabletron, etc)
into this mode where we can monitor access point
management frames. Other
cards (Cisco Aironet 340 and 350) go into RF
Management/Monitor mode very
readily. I have several. I've seen them in action. :-)
I prefer the
350. Better receive gain. Picks up much better than the
340. Also has
better transmit power (but I'm not usually transmitting :-) ).
3) On Linux, some driver patches are required to report
the ENTIRE
802.11 encapsulation to the application layer and then
you need some
modified
libpcap libraries to handle them (they are different
sized than 802.3).
Once you have that, you can find out the ESSID, the
Network Name, various
AP parameters (like whether WEP is required or used),
etc, etc, etc...
Driving from home to work along a particular route, I
know a dude
in a certain apartment complex has "Dougnet" while a
medical office further
down the road has one named "toomanysecrets". It's
amazing how many
have purchased a particular brand with a particular
default network name
and I see "tsunami" showing up all over the map while
driving around town.
You might have some joy, but the best I can see for
collecting the
datagrams
would be something like
a scanner (radio) interfaced to a computer. Of course,
you still have to
break
the encryption, but there
was an article posted to one of the securityfocus lists
regarding
'weaknesses'
in WEP.
Yes, there certainly are some "weaknesses" in WEP. You
might want
to look them over. They're incredibly lame, like reusing
the undersized
(24 bit) IV and NOT encorporating any station dependent
information in
the IV or cypherstream (so cracking one station using
known plaintext
cracks them all). Combined that with a simple XOR
between the plaintext
and the cypherstream (making is subject to XOR reduction
attacks) it's
really pretty bad. "Bag on head" bad... "Go home in
shame" bad...
"Who forgot to invite the cryptographers to the meetings" bad...
(this is based on a little research I did into 802.11b YMMV)
Cheers
Ed
CONFIDENTIALITY:
This e-mail and any attachments are confidential and
may be privileged. If
you
are not a named recipient, please notify the sender
immediately and do not
disclose the contents to another person, use it for any
purpose, or store
or
copy the information in any medium.
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com
(The Mad Wizard) | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of
all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com
(The Mad Wizard) | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
--
Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the
future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
 By Date 
By Thread
Current thread:
- RE: Dsniff'ng wireless networks, (continued)
|
Intro
