Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Dsniff'ng wireless networks

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Thu, 12 Jul 2001 16:36:15 -0700
None of them are in use and even once the standard gets approved,
it will still be another 8 months before vendors send out silicon
that supports it.

toby


-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]
Sent: Thursday, July 12, 2001 4:08 PM
To: Kohlenberg, Toby
Cc: 'Dragos Ruiu'; Michael H. Warfield; Bourque Daniel;
pen-test () securityfocus com
Subject: RE: Dsniff'ng wireless networks



Yes, still, how many of those improvements are currently in use?


Thanks,

Ron DuFresne

On Thu, 12 Jul 2001, Kohlenberg, Toby wrote:


If you haven't done so yet, take a look at the revisions
made for the next release of 802.11- specifically 802.11i
a number of interesting improvements in the standard with
regard to security. It has been significantly developed by
Jesse Walker who is definately competent.

Toby


-----Original Message-----
From: Dragos Ruiu [mailto:dr () kyx net]
Sent: Wednesday, July 11, 2001 5:48 PM
To: Michael H. Warfield; Bourque Daniel
Cc: pen-test () securityfocus com
Subject: Re: Dsniff'ng wireless networks


IMHO the Cisco 350 (not the weaker gain cousin the 340) 
is _the_ card  to get.... if for no other reason than you can 
crank that  transmitter to a rangeful but unhealthy and 
battery frying  three times the normal power rating of 
other typical  cards (30mW vs. 100mW) or right down to 
a less  unhealthy and battery saving 1mW with the 
OpenBSD  drivers (and it works fine for me in an indoor 
residential  setting at this minimal power level).  As 
far as I have tested none of the other cards/chipsets give 
you any useful power controls beyond the mostly lame 
keep the transmitter on for so many milliseconds  
settings which mostly mess up your link without 
much savings. Never mind the fact that you can 
also use this card to break the shamefully bad crypto. :-)
"Who forgot to invite the cryptographers?", indeed.

cheers,
--dr



On Tue, 10 Jul 2001, Michael H. Warfield wrote:

On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote:


What about the claim by Cisco that the 350 couple with 

their Cisco Secure

Access Control permit to each user to have it's own key 

AND dynamic change

of thoses keys?


        It's proprietary software on top of their 

cards.  I'm still

waiting to see the software in action AND waiting to see 

Linux support.

Till then, it's still vaporware.  IAC, it's certainly NOT 

what you are

going to find deployed in the field at this time.

        There is also the SLAN project up at SourceForge with 

is intended

to address the Wireless encryption problem.  That has Linux 

and Windows

clients and is also suppose to address this, and not 

just be limited

to Cisco cards.


-----Message d'origine-----
De: Michael H. Warfield [mailto:mhw () wittsend com]
Date: 9 juillet, 2001 21:08
À: ed.rolison () power alstom com
Cc: pen-test () securityfocus com
Objet: Re: Dsniff'ng wireless networks


On Mon, Jul 09, 2001 at 09:09:58AM +0100, 

ed.rolison () power alstom com wrote:



Correct me if I'm wrong, but IIRC wireless lans are 

effectively switched.


      You are wrong...  They are broadcast media and 

one station can

sniff another station as long as it can receive the RF.  

Often, one

station might not be able to receive another stations RF 

because they

are out of range of each other but not out of range of 

the high-gain

access point antenna.  But that is a far cry from 

"effectively switched"

and is NOT something to rely on for security!


Each access point-NIC uses a separate encryption key 

(there are weaknesses

but...)


      You are VERY wrong.  WEP uses a common shared 

key amongst ALL

of the stations.  In order to move between access 

points within a

fully managed 802.11 network (multiple access points operating
in cooperation) then all the access points have to 

have the same

Network Name and WEP encryption keys.  Most seem to 

support 4 decryption

keys (Rx) and a single encryption key (Tx - One of the 

four Rx keys)

but to have everything work uniformly, it would all have 

to be identical

and it's ALL shared secrets.


and thus the NIC only 'sees' traffic being directed at it.


      If that were true, then the WaveLAN sniffers 

would not be

very effective.  In fact, they are VERY effective.


It seems also that it's quite hard to get them to enter 

promiscuous mode

for

similar reasons - if
it's listening to all the traffic, then the encryption 

breaks down.


      1) It's a snap to get it into promiscuous mode. 

 Tcpdump can do

it on Linux, no mods necessary.  You see 802.3 (ethernet) 

style frames

and encapsulation.  The 802.11 framing is stripped before 

presentation

to the application layer.

      2) It's a little more difficult to get it into RF 

Management/Monitor

mode.  In fact, we don't know how to get some cards 

(Lucent, Cabletron, etc)

into this mode where we can monitor access point 

management frames.  Other

cards (Cisco Aironet 340 and 350) go into RF 

Management/Monitor mode very

readily.  I have several.  I've seen them in action.  :-) 

 I prefer the

350.  Better receive gain.  Picks up much better than the 

340.  Also has

better transmit power (but I'm not usually transmitting :-) ).

      3) On Linux, some driver patches are required to report 

the ENTIRE

802.11 encapsulation to the application layer and then 

you need some

modified
libpcap libraries to handle them (they are different 

sized than 802.3).

Once you have that, you can find out the ESSID, the 

Network Name, various

AP parameters (like whether WEP is required or used), 

etc, etc, etc...


      Driving from home to work along a particular route, I 

know a dude

in a certain apartment complex has "Dougnet" while a 

medical office further

down the road has one named "toomanysecrets".  It's 

amazing how many

have purchased a particular brand with a particular 

default network name

and I see "tsunami" showing up all over the map while 

driving around town.



You might have some joy, but the best I can see for 

collecting the

datagrams

would be something like
a scanner (radio) interfaced to a computer. Of course, 

you still have to

break

the encryption, but there
was an article posted to one of the securityfocus lists 

regarding

'weaknesses'

in WEP.


      Yes, there certainly are some "weaknesses" in WEP.  You 

might want

to look them over.  They're incredibly lame, like reusing 

the undersized

(24 bit) IV and NOT encorporating any station dependent 

information in

the IV or cypherstream (so cracking one station using 

known plaintext

cracks them all).  Combined that with a simple XOR 

between the plaintext

and the cypherstream (making is subject to XOR reduction 

attacks) it's

really pretty bad.  "Bag on head" bad...  "Go home in 

shame" bad...

"Who forgot to invite the cryptographers to the 

meetings" bad...



(this is based on a little research I did into 802.11b YMMV)



Cheers
Ed



CONFIDENTIALITY:
This e-mail and any attachments are confidential and 

may be privileged. If

you

are not a named recipient, please notify the sender 

immediately and do not

disclose the contents to another person, use it for any 

purpose, or store

or

copy the information in any medium.


      Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  

mhw () WittsEnd com

  (The Mad Wizard)      |  (678) 463-0932   |  

http://www.wittsend.com/mhw/

  NIC whois:  MHW9      |  An optimist believes we live 

in the best of

all

 PGP Key: 0xDF1DD471    |  possible worlds.  A 

pessimist is sure of it!


  Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |

http://www.wittsend.com/mhw/

  NIC whois:  MHW9      |  An optimist believes we live 

in the best of all

 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist 

is sure of it!







--------------------------------------------------------------
--------------

This list is provided by the SecurityFocus Security 

Intelligence Alert

(SIA)

Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security 

vulnerabilities please

see:

https://alerts.securityfocus.com/




-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: