Re: About War Driving ..

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-11-30 FatalSaint wrote:
> Just a couple.. I'm kind of a noob here but:
>
> 1) Use WPA/TKIP instead of WEP.  Harder to crack (though not
> impossible)

Please elaborate: how do you believe WPA could be cracked? I know that
WPA-PSK can be cracked if a weak passphrase is chosen, but I haven't yet
seen a mention of WPA-PSK with a strong passphrase or WPA/TKIP being
cracked.

> 2) Disable DHCP if you have it running or

Pointless, because the attacker can spoof a valid IP address.

> 2a) Enable static DHCP for the MAC Addresses of the authorized PC's

Pointless, because the attacker can spoof a valid MAC address.

> 3) MAC Address Filter your router

Pointless, because the attacker can spoof a valid MAC address.

> 4) Disable SSID Broadcast (easily got around by anyone with kismet..
> but still an added layer)

Pointless, because the attacker doesn't need a broadcast SSID to detect
the WLAN.

> 5) If your router has the capability; explicitly allow only the IP's
> for the machine's you assign to get out to the internet.

Pointless, because once the attacker can spoof a valid IP address.

> 6) Disable the torrent ports at the firewall .. I am not sure what
> they are or if torrent will get around them by using port 80 instead.
> (in actuallity, in a business environment I'd disable -all- outgoing
> ports except 80 and 443 - if someone needs specific access have your
> net-admin explicitly allow their machine out.)

Not entirely pointless, but a) limits valid users as well, and b) is
only effective once the attacker already *got* access to your network.
Which is what you want to prevent in the first place.

> 7) You could get as detailed as static routing and limiting the amount
> of bandwidth each machine/IP could use.

Pointless, because the attacker can spoof a valid MAC and IP address.

> Log MAC Addresses.  If he's smart enough to crack your wep then he's
> prolly spoofing MAC's.. but you could always go into your logs, see
> which MAC is associated with that IP - and then go to all the machines
> in your building that you can control and check the MAC Addresses -
> might tell you which machine is doing it.

That does only help if you know how to locate that machine. Which is
exactly the problem the OP has (because with a WLAN you can't simply
follow the wire).

> Some more advanced things could be to install a proxy server; require
> the use of login's to get to the internet - then you can track by
> login. Or even installing a transparent proxy and logging all
> websites/communication out to the internet (this could cause a very
> large logfile.)

That may work, but also means a lot of work. Plus, it just moves the
authentication to a higher layer. Why not just leave it in the network
layer? Has the same effect, is easier to set up, and keeps a potential
attacker entirely out of your network.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq