RE: Strange WLAN behavior

[Norealenemy <norealenemy () web de>]

Am Mittwoch, den 31.03.2010, 15:00 +1000 schrieb Murda:
> Let me get this straight;
> The MyWLAN is the rogue AP's SSID? Or your SSID?

my one

> It has no protection which is why your wife's laptop has connected so easily to it?

It is protected with wpa2 and a very long PW with special characters.

> The WLAN you have setup is using WPA2 with a long PW etc?

right

> What is she using to manage the connection(the Windows Wireless client or a client for the NIC itself?).

no NIC software, only M$ integrated.

> If MYWLAN is your AP/network then perhaps, somehow the pw has been compromised. Have you ever had anyone at your 
> house that you shared the pw with?

In our router is MAC filtering enabled. Only three MAC are allowed. Our
own two laptops and a friends one who lives 400 kilometers away. 
I don't believe that the PW has been figured out, but isn't it enough to
have the hash of the PW? (rainbowtable)

br Jensemann
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Norealenemy
> Sent: Tuesday, March 30, 2010 11:37 PM
> To: security-basics () securityfocus com
> Subject: Strange WLAN behavior
>
> Hello out there,
>
> since a couple of days my wife complained her bad wireless connection.
> She said that the System (XP) often disconnects and sometimes the
> connect messages says "connected to MyWLAN(insecure)" The WLAN is WPA2
> protected using a very log PW including special characters.
>
> So yesterday I had some time to play with her laptop and was wondering
> as I saw that her system told me to be connected to "MyWLAN" with 54
> MBits on the router she was connected with 48 MBits.
>
> I started kismet on my laptop and was sniffing the air on my channel.
> First thing I was wondering, was that MyWLAN has 7 (up to 9) Clients,
> but the most strange thing was, that when I was generating traffic on
> her laptop I saw the packet count growing on her and an absolute unknown
> MAC address. The packet count stops on both addresses and starts again
> growing when I start the ping (or anything else generating traffic)
> again.
>
> Does that mean that my wifes laptop connects to an attacker AP, that is
> forwarding her packets?
>
> - How can I find out who it is? 
> - What would you do next?
> - Is there a way to prevent such attacks?
>
>
> Thanks in advance Jensemann


-- 

           ,  ,                 __.   .  .          
.    ,._.*-+--+-_ ._    _ ._   (__  _.|_ | _ ._ ._ *
 \/\/ [  | |  |(/,[ )  (_)[ )  .__)(_.[ )|(/,[_)[_)|
                                             |  |   
 _, _, ,  _,    _, _,    _, ,    ,  ,   _,__,. , _, 
'_)|.|/| |.|___|.|'_)___'_)/|   /| /| *'_) /*|_|'_) 
/_.|_|.|.|_|   |_|._)   ._).|.  .|..|.*/_./ *  |/_. 
                                                    



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------