Re: Dsniff'ng wireless networks

["Michael H. Warfield" <mhw () wittsend com>]

On Mon, Jul 09, 2001 at 09:09:58AM +0100, ed.rolison () power alstom com wrote:

> Correct me if I'm wrong, but IIRC wireless lans are effectively switched.

        You are wrong...  They are broadcast media and one station can
sniff another station as long as it can receive the RF.  Often, one
station might not be able to receive another stations RF because they
are out of range of each other but not out of range of the high-gain
access point antenna.  But that is a far cry from "effectively switched"
and is NOT something to rely on for security!

> Each access point-NIC uses a separate encryption key (there are weaknesses
> but...)

        You are VERY wrong.  WEP uses a common shared key amongst ALL
of the stations.  In order to move between access points within a
fully managed 802.11 network (multiple access points operating
in cooperation) then all the access points have to have the same
Network Name and WEP encryption keys.  Most seem to support 4 decryption
keys (Rx) and a single encryption key (Tx - One of the four Rx keys)
but to have everything work uniformly, it would all have to be identical
and it's ALL shared secrets.

> and thus the NIC only 'sees' traffic being directed at it.

        If that were true, then the WaveLAN sniffers would not be
very effective.  In fact, they are VERY effective.

> It seems also that it's quite hard to get them to enter promiscuous mode for
> similar reasons - if
> it's listening to all the traffic, then the encryption breaks down.

        1) It's a snap to get it into promiscuous mode.  Tcpdump can do
it on Linux, no mods necessary.  You see 802.3 (ethernet) style frames
and encapsulation.  The 802.11 framing is stripped before presentation
to the application layer.

        2) It's a little more difficult to get it into RF Management/Monitor
mode.  In fact, we don't know how to get some cards (Lucent, Cabletron, etc)
into this mode where we can monitor access point management frames.  Other
cards (Cisco Aironet 340 and 350) go into RF Management/Monitor mode very
readily.  I have several.  I've seen them in action.  :-)  I prefer the
350.  Better receive gain.  Picks up much better than the 340.  Also has
better transmit power (but I'm not usually transmitting :-) ).

        3) On Linux, some driver patches are required to report the ENTIRE
802.11 encapsulation to the application layer and then you need some modified
libpcap libraries to handle them (they are different sized than 802.3).
Once you have that, you can find out the ESSID, the Network Name, various
AP parameters (like whether WEP is required or used), etc, etc, etc...

        Driving from home to work along a particular route, I know a dude
in a certain apartment complex has "Dougnet" while a medical office further
down the road has one named "toomanysecrets".  It's amazing how many
have purchased a particular brand with a particular default network name
and I see "tsunami" showing up all over the map while driving around town.

> You might have some joy, but the best I can see for collecting the datagrams
> would be something like
> a scanner (radio) interfaced to a computer. Of course, you still have to break
> the encryption, but there
> was an article posted to one of the securityfocus lists regarding 'weaknesses'
> in WEP.

        Yes, there certainly are some "weaknesses" in WEP.  You might want
to look them over.  They're incredibly lame, like reusing the undersized
(24 bit) IV and NOT encorporating any station dependent information in
the IV or cypherstream (so cracking one station using known plaintext
cracks them all).  Combined that with a simple XOR between the plaintext
and the cypherstream (making is subject to XOR reduction attacks) it's
really pretty bad.  "Bag on head" bad...  "Go home in shame" bad...
"Who forgot to invite the cryptographers to the meetings" bad...

> (this is based on a little research I did into 802.11b YMMV)

> Cheers
> Ed

> CONFIDENTIALITY:
> This e-mail and any attachments are confidential and may be privileged. If you
> are not a named recipient, please notify the sender immediately and do not
> disclose the contents to another person, use it for any purpose, or store or
> copy the information in any medium.

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/