RE: Wireless Lans give EVERYONE ACCESS

[Jonas Thambert <JonasT () guld spray se>]

WLAN is best used on a separate VLAN/NIC of the firewall in combination 
with VPN into the rest of the internal networks.

The VPN authentication is best handled my RSA, safeword or biometric
systems.

Even then its not safe since it only takes 15 min to decrypt the
40-bits key. Maybe WEP2 128-bits key will solve that :-)

/Jonas 

-----Original Message-----
From: Conal Darcy [mailto:hersh () blindskier com] 
Sent: den 8 augusti 2001 04:29
To: Russell Handorf
Cc: VULN-DEV () securityfocus com; bugtraq () securityfocus com
Subject: Re: Wireless Lans give EVERYONE ACCESS


But can't you just set up a firewall to block any packets from the wireless
device that claim they're coming from the loopback device (127.0.0.1)?

My experience with wireless devices is minimal so I may be wrong.

Conal Darcy
hersh () blindskier com

On Mon, 6 Aug 2001, Russell Handorf wrote:

> Traditional authentication with wireless lan's consist of the 
> following simplified procedure: 1). Wireless nic asks for an IP
> 2). Base station checks to see if the MAC Address can be passed.
> 3). If the authentication is successful then the DHCP server leases an IP
> to the Wireless nic.
>
> Today, I have circumvented the MAC Address authentication method, and 
> had also sniffed successfully on a switched network with wireless 
> stations on it without authentication into the network.
>
> For sniffing onto a wireless network without a registered MAC Address 
> AND using WEP Encryption Methods: 1). Set the MAC Address of the card 
> to 127.0.0.1 and the Netmask to 255.255.0.0 2). The card takes care of 
> the rest. Just sit back and listen to the sounds of the network (NOTE: 
> There will NOT be any DNS RESOLVING and quite possibly NO IP's will 
> show up, only the computers MAC Addressed) (Double
> NOTE: All you need is another machines MAC Address to start a 
> Man-in-the-Middle).
>
> For Getting an IP Address for Internet Connectivity:
> First Method requires that you have already sniffed on the network for 
> an extended amount of time. Needed information is the IP Ranges, 
> Netmask, and Gateway of the Lan. All of this can be acquired through 
> HUNT. All you do is sift through the data generated, find an IP that 
> hasn't sent any traffic take it and configure the other things (such 
> as Netmask and Gateway manually).
>
> Second method requires you to have physical access to the lan. Take a 
> hardwired nic and spoof it's MAC Address to that of the wireless nic's 
> address. Run a command like 
'pump,' swap cards and you should be on 
> the network.
>
> The following instructions were executed on a Dell laptop with Redhat 
> 7.0. The Ethernet card that was used is a Xircom 10/100 56k Combo 
> thingy and the wireless lan card is a Lucent Technologies Wavelan Gold 
> Turbo 128RC4.
>
> The base stations that these were tested on is a D-Link 1000AP, 
> Orinoco AP-1000 Access Point, Orinoco COR-1100, and Cisco Aironet 350 
> Series.
>
> Will someone else please confirm that this is successful?
>
>
> Thanks
>
> Russ
> ==================================
> Russell Handorf
> oooo, shiney ::Wanders after it::
>
> www.russells-world.com
> www.inside-aol.com
> www.terrorists.net
> www.bad-mother-fucker.org
> www.philly2600.net
>
> "Computer games don't affect kids, I mean if Pacman affected us as 
> kids, we'd all be running around in darkened rooms, munching pills and 
> listening to repetitive music." ~unknown 
> ==================================