Episode 217p2: Slutty wireless network cards

[Adrian Crenshaw <irongeek () irongeek com>]

Since you were talking about this in regards to Firesheep, I figured I
should bring the topic up.

Many people, even those the are in the know for most things, seem confused
as to Monitor mode (not associated, seeing management frames and all on a
channel) and Promiscuous (associated, essentially looks like Ethernet). If
someone asks about Promiscuous on a WiFi card, even the pros seem to assume
they are talking about Monitor. As far as I understand, Firesheep needs
Promiscuous mode, which on all Ethernet cards I've ever tested worked fine
with, but some/most WiFi cards do not seem to support (at least the ones I
have) and some do. Even if Promiscuous mode is not really supported, the
cards won't tell you. The only way I've been able to tell is to put the card
into Promiscuous with Wireshark, and see if I can see anything beyond
broadcast and my traffic. Here is an example of a test I did, and my
findings with two card I have:

In Ubuntu 10.10 with Wireshark and with my built in Intel(R) Wireless WiFi
Link 4965AGN:
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
3. other clients traffic that was neither destined to me nor broadcast.
in other words: Seemed to work just like an Ethernet card in promiscuous.

In Windows 7 64bit with Wireshark and with my built in Intel(R) Wireless
WiFi Link 4965AGN:
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
In other words, not really Promiscuous.

In Ubuntu 10.10 with Wireshark and with my Realtek RTL8187 based USB
adapter:
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
In other words, not really Promiscuous.

In Windows 7 64bit with Wireshark and with my built in Ubuntu 10.10 with
Wireshark and with my Realtek RTL8187 based USB adapter::
While associated with an ap, I could see traffic that was:
Wireshark did not even see the adapter.

In BT 4 R1 using my Realtek RTL8187 based USB adapter::
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
In other words, not really Promiscuous.

Stated another way,  Promiscuous seems highly depended on
drivers/firmware/OS used, but there is such a thing as a truly promiscuous
WiFi card. There is a workaround involving ARP poising the network so the
MAC addresses in the packet are destined to you, but that's noisy. The
reason someone may want to be in Promiscuous instead of Monitor mode is:

1. They want to be associated with the AP (though I understand that some
chip sets can do this anyway using virtual interfaces)
2. The tool they are trying to used does not support a non Ethernet link
types.

Joshua Wright wrote a tool that takes care of point two:

http://www.willhackforsushi.com/Home/Entries/2009/1/28_New_Tool%3A_wlan2eth.html
but it's still more convenient to be in Promiscuous sometimes, and I'm not
sure FireSheep would read from a pcap.

Side note: Windows Vista and newer do support Monitor mode, but I've only
seen one too that seems to use this feature: Network Monitor.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

Maybe Joshua can elaborate.

Request to the community: I'd love to see a list of WiFi cards that truly
support Promiscuous, and what OS and drivers you used.


Thanks for the show,
Adrian

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com