Penetration Testing mailing list archives
RE: Dsniff'ng wireless networks
From: Bourque Daniel <Daniel.Bourque () loto-quebec com>
Date: Tue, 10 Jul 2001 11:04:34 -0400
What about the claim by Cisco that the 350 couple with their Cisco Secure Access Control permit to each user to have it's own key AND dynamic change of thoses keys? -----Message d'origine----- De: Michael H. Warfield [mailto:mhw () wittsend com] Date: 9 juillet, 2001 21:08 À: ed.rolison () power alstom com Cc: pen-test () securityfocus com Objet: Re: Dsniff'ng wireless networks On Mon, Jul 09, 2001 at 09:09:58AM +0100, ed.rolison () power alstom com wrote:
Correct me if I'm wrong, but IIRC wireless lans are effectively switched.
You are wrong... They are broadcast media and one station can sniff another station as long as it can receive the RF. Often, one station might not be able to receive another stations RF because they are out of range of each other but not out of range of the high-gain access point antenna. But that is a far cry from "effectively switched" and is NOT something to rely on for security!
Each access point-NIC uses a separate encryption key (there are weaknesses but...)
You are VERY wrong. WEP uses a common shared key amongst ALL of the stations. In order to move between access points within a fully managed 802.11 network (multiple access points operating in cooperation) then all the access points have to have the same Network Name and WEP encryption keys. Most seem to support 4 decryption keys (Rx) and a single encryption key (Tx - One of the four Rx keys) but to have everything work uniformly, it would all have to be identical and it's ALL shared secrets.
and thus the NIC only 'sees' traffic being directed at it.
If that were true, then the WaveLAN sniffers would not be very effective. In fact, they are VERY effective.
It seems also that it's quite hard to get them to enter promiscuous mode
for
similar reasons - if it's listening to all the traffic, then the encryption breaks down.
1) It's a snap to get it into promiscuous mode. Tcpdump can do it on Linux, no mods necessary. You see 802.3 (ethernet) style frames and encapsulation. The 802.11 framing is stripped before presentation to the application layer. 2) It's a little more difficult to get it into RF Management/Monitor mode. In fact, we don't know how to get some cards (Lucent, Cabletron, etc) into this mode where we can monitor access point management frames. Other cards (Cisco Aironet 340 and 350) go into RF Management/Monitor mode very readily. I have several. I've seen them in action. :-) I prefer the 350. Better receive gain. Picks up much better than the 340. Also has better transmit power (but I'm not usually transmitting :-) ). 3) On Linux, some driver patches are required to report the ENTIRE 802.11 encapsulation to the application layer and then you need some modified libpcap libraries to handle them (they are different sized than 802.3). Once you have that, you can find out the ESSID, the Network Name, various AP parameters (like whether WEP is required or used), etc, etc, etc... Driving from home to work along a particular route, I know a dude in a certain apartment complex has "Dougnet" while a medical office further down the road has one named "toomanysecrets". It's amazing how many have purchased a particular brand with a particular default network name and I see "tsunami" showing up all over the map while driving around town.
You might have some joy, but the best I can see for collecting the
datagrams
would be something like a scanner (radio) interfaced to a computer. Of course, you still have to
break
the encryption, but there was an article posted to one of the securityfocus lists regarding
'weaknesses'
in WEP.
Yes, there certainly are some "weaknesses" in WEP. You might want to look them over. They're incredibly lame, like reusing the undersized (24 bit) IV and NOT encorporating any station dependent information in the IV or cypherstream (so cracking one station using known plaintext cracks them all). Combined that with a simple XOR between the plaintext and the cypherstream (making is subject to XOR reduction attacks) it's really pretty bad. "Bag on head" bad... "Go home in shame" bad... "Who forgot to invite the cryptographers to the meetings" bad...
(this is based on a little research I did into 802.11b YMMV)
Cheers Ed
CONFIDENTIALITY: This e-mail and any attachments are confidential and may be privileged. If
you
are not a named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store
or
copy the information in any medium.
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Dsniff'ng wireless networks sito (Jul 07)
- Re: Dsniff'ng wireless networks jay (Jul 09)
- Re: Dsniff'ng wireless networks Joe Shaw (Jul 09)
- <Possible follow-ups>
- Re: Dsniff'ng wireless networks ed . rolison (Jul 09)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 10)
- RE: Dsniff'ng wireless networks Philip Cox (Jul 10)
- RE: Dsniff'ng wireless networks Jon Larimer (Jul 10)
- RE: Dsniff'ng wireless networks Matthew Jach (Jul 10)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 10)
- Re: Dsniff'ng wireless networks Joe Shaw (Jul 10)
- RE: Dsniff'ng wireless networks Bourque Daniel (Jul 10)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 11)
- Re: Dsniff'ng wireless networks Dragos Ruiu (Jul 12)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 11)
- RE: Dsniff'ng wireless networks Kohlenberg, Toby (Jul 12)
- RE: Dsniff'ng wireless networks R. DuFresne (Jul 12)
- RE: Dsniff'ng wireless networks Kohlenberg, Toby (Jul 12)
- RE: Dsniff'ng wireless networks Mike . Ruscher (Jul 13)
- Replacing WEP was Re: Dsniff'ng wireless networks Simon Waters (Jul 17)
- Re: Replacing WEP was Re: Dsniff'ng wireless networks Crist Clark (Jul 22)
- Replacing WEP was Re: Dsniff'ng wireless networks Simon Waters (Jul 17)