PaulDotCom mailing list archives
Re: Episode 217p2: Slutty wireless network cards
From: David Porcello <DPorcello () vermontmutual com>
Date: Thu, 4 Nov 2010 08:48:23 -0400
Adrian, I hugely support this effort!! This has bugged me for years! There is an excellent catalog of open source wireless drivers at http://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers; monitor mode support is indicated for each driver, but if promiscuous mode is a separate and distinct feature, this would be extremely useful to know! I've yet to find a similar reference for windows wireless drivers. NDIS 6 supposedly supports monitor mode, but which chipsets/drivers support NDIS 6? << The Microsoft Windows Network Driver Interface Specification (NDIS) API does not support any extensions for wireless monitor mode in older versions of Windows. With NDIS 6, available in Windows Vista and later versions of Windows, it is possible to enable monitor mode.[1] NDIS 6 supports exposing 802.11 frames to the upper protocol levels;[2] with previous versions of NDIS only fake Ethernet frames translated from the 802.11 data frames can be exposed to the upper protocol levels. >> (http://en.wikipedia.org/wiki/Monitor_mode) From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Adrian Crenshaw Sent: Wednesday, November 03, 2010 12:42 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Episode 217p2: Slutty wireless network cards Since you were talking about this in regards to Firesheep, I figured I should bring the topic up. Many people, even those the are in the know for most things, seem confused as to Monitor mode (not associated, seeing management frames and all on a channel) and Promiscuous (associated, essentially looks like Ethernet). If someone asks about Promiscuous on a WiFi card, even the pros seem to assume they are talking about Monitor. As far as I understand, Firesheep needs Promiscuous mode, which on all Ethernet cards I've ever tested worked fine with, but some/most WiFi cards do not seem to support (at least the ones I have) and some do. Even if Promiscuous mode is not really supported, the cards won't tell you. The only way I've been able to tell is to put the card into Promiscuous with Wireshark, and see if I can see anything beyond broadcast and my traffic. Here is an example of a test I did, and my findings with two card I have: In Ubuntu 10.10 with Wireshark and with my built in Intel(R) Wireless WiFi Link 4965AGN: While associated with an ap, I could see traffic that was: 1. destined to me 2. broadcast 3. other clients traffic that was neither destined to me nor broadcast. in other words: Seemed to work just like an Ethernet card in promiscuous. In Windows 7 64bit with Wireshark and with my built in Intel(R) Wireless WiFi Link 4965AGN: While associated with an ap, I could see traffic that was: 1. destined to me 2. broadcast In other words, not really Promiscuous. In Ubuntu 10.10 with Wireshark and with my Realtek RTL8187 based USB adapter: While associated with an ap, I could see traffic that was: 1. destined to me 2. broadcast In other words, not really Promiscuous. In Windows 7 64bit with Wireshark and with my built in Ubuntu 10.10 with Wireshark and with my Realtek RTL8187 based USB adapter:: While associated with an ap, I could see traffic that was: Wireshark did not even see the adapter. In BT 4 R1 using my Realtek RTL8187 based USB adapter:: While associated with an ap, I could see traffic that was: 1. destined to me 2. broadcast In other words, not really Promiscuous. Stated another way, Promiscuous seems highly depended on drivers/firmware/OS used, but there is such a thing as a truly promiscuous WiFi card. There is a workaround involving ARP poising the network so the MAC addresses in the packet are destined to you, but that's noisy. The reason someone may want to be in Promiscuous instead of Monitor mode is: 1. They want to be associated with the AP (though I understand that some chip sets can do this anyway using virtual interfaces) 2. The tool they are trying to used does not support a non Ethernet link types. Joshua Wright wrote a tool that takes care of point two: http://www.willhackforsushi.com/Home/Entries/2009/1/28_New_Tool%3A_wlan2eth.html but it's still more convenient to be in Promiscuous sometimes, and I'm not sure FireSheep would read from a pcap. Side note: Windows Vista and newer do support Monitor mode, but I've only seen one too that seems to use this feature: Network Monitor. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en Maybe Joshua can elaborate. Request to the community: I'd love to see a list of WiFi cards that truly support Promiscuous, and what OS and drivers you used. Thanks for the show, Adrian ________________________________ NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Episode 217p2: Slutty wireless network cards Adrian Crenshaw (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards Mike Patterson (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards Adrian Crenshaw (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards Mike Patterson (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards Adrian Crenshaw (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards Adrian Crenshaw (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards Mike Patterson (Nov 03)
- Re: Episode 217p2: Slutty wireless network cards David Porcello (Nov 04)
- Re: Episode 217p2: Slutty wireless network cards James Shewmaker (Nov 05)
- Re: Episode 217p2: Slutty wireless network cards Adrian Crenshaw (Nov 05)
- Pentesting drop boxes David Porcello (Nov 05)
- Re: Pentesting drop boxes Jim Halfpenny (Nov 05)
- Re: Pentesting drop boxes David Porcello (Nov 05)
- Re: Episode 217p2: Slutty wireless network cards James Shewmaker (Nov 05)