Re: Episode 217p2: Slutty wireless network cards

[David Porcello <DPorcello () vermontmutual com>]

Adrian, I hugely support this effort!! This has bugged me for years! There is an excellent catalog of open source 
wireless drivers at http://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers; monitor mode support is 
indicated for each driver, but if promiscuous mode is a separate and distinct feature, this would be extremely useful 
to know!

I've yet to find a similar reference for windows wireless drivers. NDIS 6 supposedly supports monitor mode, but which 
chipsets/drivers support NDIS 6?

<< The Microsoft Windows Network Driver Interface Specification (NDIS) API does not support any extensions for wireless 
monitor mode in older versions of Windows. With NDIS 6, available in Windows Vista and later versions of Windows, it is 
possible to enable monitor mode.[1] NDIS 6 supports exposing 802.11 frames to the upper protocol levels;[2] with 
previous versions of NDIS only fake Ethernet frames translated from the 802.11 data frames can be exposed to the upper 
protocol levels. >> (http://en.wikipedia.org/wiki/Monitor_mode)


From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Adrian 
Crenshaw
Sent: Wednesday, November 03, 2010 12:42 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Episode 217p2: Slutty wireless network cards

Since you were talking about this in regards to Firesheep, I figured I should bring the topic up.

Many people, even those the are in the know for most things, seem confused as to Monitor mode (not associated, seeing 
management frames and all on a channel) and Promiscuous (associated, essentially looks like Ethernet). If someone asks 
about Promiscuous on a WiFi card, even the pros seem to assume they are talking about Monitor. As far as I understand, 
Firesheep needs Promiscuous mode, which on all Ethernet cards I've ever tested worked fine with, but some/most WiFi 
cards do not seem to support (at least the ones I have) and some do. Even if Promiscuous mode is not really supported, 
the cards won't tell you. The only way I've been able to tell is to put the card into Promiscuous with Wireshark, and 
see if I can see anything beyond broadcast and my traffic. Here is an example of a test I did, and my findings with two 
card I have:

In Ubuntu 10.10 with Wireshark and with my built in Intel(R) Wireless WiFi Link 4965AGN:
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
3. other clients traffic that was neither destined to me nor broadcast.
in other words: Seemed to work just like an Ethernet card in promiscuous.

In Windows 7 64bit with Wireshark and with my built in Intel(R) Wireless WiFi Link 4965AGN:
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
In other words, not really Promiscuous.

In Ubuntu 10.10 with Wireshark and with my Realtek RTL8187 based USB adapter:
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
In other words, not really Promiscuous.

In Windows 7 64bit with Wireshark and with my built in Ubuntu 10.10 with Wireshark and with my Realtek RTL8187 based 
USB adapter::
While associated with an ap, I could see traffic that was:
Wireshark did not even see the adapter.

In BT 4 R1 using my Realtek RTL8187 based USB adapter::
While associated with an ap, I could see traffic that was:
1. destined to me
2. broadcast
In other words, not really Promiscuous.

Stated another way,  Promiscuous seems highly depended on drivers/firmware/OS used, but there is such a thing as a 
truly promiscuous WiFi card. There is a workaround involving ARP poising the network so the MAC addresses in the packet 
are destined to you, but that's noisy. The reason someone may want to be in Promiscuous instead of Monitor mode is:

1. They want to be associated with the AP (though I understand that some chip sets can do this anyway using virtual 
interfaces)
2. The tool they are trying to used does not support a non Ethernet link types.

Joshua Wright wrote a tool that takes care of point two:

http://www.willhackforsushi.com/Home/Entries/2009/1/28_New_Tool%3A_wlan2eth.html
but it's still more convenient to be in Promiscuous sometimes, and I'm not sure FireSheep would read from a pcap.

Side note: Windows Vista and newer do support Monitor mode, but I've only seen one too that seems to use this feature: 
Network Monitor.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

Maybe Joshua can elaborate.

Request to the community: I'd love to see a list of WiFi cards that truly support Promiscuous, and what OS and drivers 
you used.


Thanks for the show,
Adrian

________________________________
NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender 
immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are 
not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, 
distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited.

Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any 
loss or damage arising if such a virus or defect exists.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com