Penetration Testing mailing list archives
RE: Dsniff'ng wireless networks
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 12 Jul 2001 19:08:15 -0400 (EDT)
Yes, still, how many of those improvements are currently in use? Thanks, Ron DuFresne On Thu, 12 Jul 2001, Kohlenberg, Toby wrote:
If you haven't done so yet, take a look at the revisions made for the next release of 802.11- specifically 802.11i a number of interesting improvements in the standard with regard to security. It has been significantly developed by Jesse Walker who is definately competent. Toby-----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: Wednesday, July 11, 2001 5:48 PM To: Michael H. Warfield; Bourque Daniel Cc: pen-test () securityfocus com Subject: Re: Dsniff'ng wireless networks IMHO the Cisco 350 (not the weaker gain cousin the 340) is _the_ card to get.... if for no other reason than you can crank that transmitter to a rangeful but unhealthy and battery frying three times the normal power rating of other typical cards (30mW vs. 100mW) or right down to a less unhealthy and battery saving 1mW with the OpenBSD drivers (and it works fine for me in an indoor residential setting at this minimal power level). As far as I have tested none of the other cards/chipsets give you any useful power controls beyond the mostly lame keep the transmitter on for so many milliseconds settings which mostly mess up your link without much savings. Never mind the fact that you can also use this card to break the shamefully bad crypto. :-) "Who forgot to invite the cryptographers?", indeed. cheers, --dr On Tue, 10 Jul 2001, Michael H. Warfield wrote:On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote:What about the claim by Cisco that the 350 couple withtheir Cisco SecureAccess Control permit to each user to have it's own keyAND dynamic changeof thoses keys?It's proprietary software on top of their cards. I'm still waiting to see the software in action AND waiting to seeLinux support.Till then, it's still vaporware. IAC, it's certainly NOTwhat you aregoing to find deployed in the field at this time. There is also the SLAN project up at SourceForge withis intendedto address the Wireless encryption problem. That has Linuxand Windowsclients and is also suppose to address this, and not just be limited to Cisco cards.-----Message d'origine----- De: Michael H. Warfield [mailto:mhw () wittsend com] Date: 9 juillet, 2001 21:08 À: ed.rolison () power alstom com Cc: pen-test () securityfocus com Objet: Re: Dsniff'ng wireless networks On Mon, Jul 09, 2001 at 09:09:58AM +0100,ed.rolison () power alstom com wrote:Correct me if I'm wrong, but IIRC wireless lans areeffectively switched.You are wrong... They are broadcast media and one station can sniff another station as long as it can receive the RF.Often, onestation might not be able to receive another stations RFbecause theyare out of range of each other but not out of range ofthe high-gainaccess point antenna. But that is a far cry from"effectively switched"and is NOT something to rely on for security!Each access point-NIC uses a separate encryption key(there are weaknessesbut...)You are VERY wrong. WEP uses a common shared key amongst ALL of the stations. In order to move between access points within a fully managed 802.11 network (multiple access points operating in cooperation) then all the access points have to have the same Network Name and WEP encryption keys. Most seem tosupport 4 decryptionkeys (Rx) and a single encryption key (Tx - One of thefour Rx keys)but to have everything work uniformly, it would all haveto be identicaland it's ALL shared secrets.and thus the NIC only 'sees' traffic being directed at it.If that were true, then the WaveLAN sniffers would not be very effective. In fact, they are VERY effective.It seems also that it's quite hard to get them to enterpromiscuous modeforsimilar reasons - if it's listening to all the traffic, then the encryptionbreaks down.1) It's a snap to get it into promiscuous mode. Tcpdump can do it on Linux, no mods necessary. You see 802.3 (ethernet)style framesand encapsulation. The 802.11 framing is stripped beforepresentationto the application layer. 2) It's a little more difficult to get it into RFManagement/Monitormode. In fact, we don't know how to get some cards(Lucent, Cabletron, etc)into this mode where we can monitor access pointmanagement frames. Othercards (Cisco Aironet 340 and 350) go into RFManagement/Monitor mode veryreadily. I have several. I've seen them in action. :-)I prefer the350. Better receive gain. Picks up much better than the340. Also hasbetter transmit power (but I'm not usually transmitting :-) ). 3) On Linux, some driver patches are required to reportthe ENTIRE802.11 encapsulation to the application layer and thenyou need somemodified libpcap libraries to handle them (they are differentsized than 802.3).Once you have that, you can find out the ESSID, theNetwork Name, variousAP parameters (like whether WEP is required or used),etc, etc, etc...Driving from home to work along a particular route, Iknow a dudein a certain apartment complex has "Dougnet" while amedical office furtherdown the road has one named "toomanysecrets". It'samazing how manyhave purchased a particular brand with a particulardefault network nameand I see "tsunami" showing up all over the map whiledriving around town.You might have some joy, but the best I can see forcollecting thedatagramswould be something like a scanner (radio) interfaced to a computer. Of course,you still have tobreakthe encryption, but there was an article posted to one of the securityfocus listsregarding'weaknesses'in WEP.Yes, there certainly are some "weaknesses" in WEP. Youmight wantto look them over. They're incredibly lame, like reusingthe undersized(24 bit) IV and NOT encorporating any station dependentinformation inthe IV or cypherstream (so cracking one station usingknown plaintextcracks them all). Combined that with a simple XORbetween the plaintextand the cypherstream (making is subject to XOR reductionattacks) it'sreally pretty bad. "Bag on head" bad... "Go home inshame" bad..."Who forgot to invite the cryptographers to the meetings" bad...(this is based on a little research I did into 802.11b YMMV)Cheers EdCONFIDENTIALITY: This e-mail and any attachments are confidential andmay be privileged. Ifyouare not a named recipient, please notify the senderimmediately and do notdisclose the contents to another person, use it for anypurpose, or storeorcopy the information in any medium.Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 |http://www.wittsend.com/mhw/NIC whois: MHW9 | An optimist believes we live in the best ofallPGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 |http://www.wittsend.com/mhw/NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!----------------------------------------------------------------------------This list is provided by the SecurityFocus Security Intelligence Alert(SIA)Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities pleasesee:https://alerts.securityfocus.com/
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Dsniff'ng wireless networks, (continued)
- Re: Dsniff'ng wireless networks ed . rolison (Jul 09)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 10)
- RE: Dsniff'ng wireless networks Philip Cox (Jul 10)
- RE: Dsniff'ng wireless networks Jon Larimer (Jul 10)
- RE: Dsniff'ng wireless networks Matthew Jach (Jul 10)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 10)
- Re: Dsniff'ng wireless networks Joe Shaw (Jul 10)
- Re: Dsniff'ng wireless networks ed . rolison (Jul 09)
- RE: Dsniff'ng wireless networks Bourque Daniel (Jul 10)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 11)
- Re: Dsniff'ng wireless networks Dragos Ruiu (Jul 12)
- Re: Dsniff'ng wireless networks Michael H. Warfield (Jul 11)
- RE: Dsniff'ng wireless networks Kohlenberg, Toby (Jul 12)
- RE: Dsniff'ng wireless networks R. DuFresne (Jul 12)
- RE: Dsniff'ng wireless networks Kohlenberg, Toby (Jul 12)
- RE: Dsniff'ng wireless networks Mike . Ruscher (Jul 13)
- Replacing WEP was Re: Dsniff'ng wireless networks Simon Waters (Jul 17)
- Re: Replacing WEP was Re: Dsniff'ng wireless networks Crist Clark (Jul 22)
- Replacing WEP was Re: Dsniff'ng wireless networks Simon Waters (Jul 17)