Re: RFMON detection

[hax <uberhax () gmail com>]

> Curious; is it possible to remotely detect a sniffing wireless card that's in monitor mode?

The short answer is: no, it isn't.  RFmon mode is simply making the
card act like a radio, picking up all that's in the air.  Because of
this, sniffing with RFmon will show you all the packets going by
without you being connected to any AP.  You can't detect this, it's
like asking if you can detect someone tuned to a certain radio
station.  Also, I'm yet to see a card that can transmit while in
RFmon, so even if you try to do something that could be logged (making
a connection to the AP), it won't work.

Probe requests (the various *stumblers), however send out probe
packets to see if any networks reply.  Because this is a packet, even
though there's no associating with the AP, the MAC will be attached
and the probe attempt can be logged.

A really good paper can be found here:
http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf that discusses the
fingerprints left from various probing programs.  The paper also
suggests ways of baiting RFmon sniffers to connect where they can be
logged at L3, but I wouldn't recommend inviting trouble :)  At any
rate, RFmon isn't something that you can detect.

Oh dear, I'm rambling again :/
--hax

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------