Penetration Testing mailing list archives

Re: [PEN-TEST] Penetrating Wireless Networks

From: Phil Cox <Phil.Cox () SystemExperts com>
Date: Sun, 11 Mar 2001 21:40:58 -0800

For example, one is able to run
tcpdump and other goodies on the wireless card just like on regular
NIC's.


Yes, it's just as a normal network.


To be perfectly clear, are you saying that you see the 802.11 traffic on the
frequency channel you are listening on (on the system running tcpdump), *or*
that tcpdump is showing you all the packets that the Access Point is sending
back to it (which is most traffic, as it is a broadcast medium). There is a
significant difference in my mind, as in the former, you see beaconing
traffic and other 802.11 stuff, while in the latter you only see the
Ethernet and IP traffic. If you do mean the former, please describe your
tool set and system configuration, because I have only seen the latter in
non-commercial tools (i.e. Linux and tcpdump)

A note on WEP:

Do not use it. Since static keys are used, the risk of
someone mounting a statistical cryptanalytical attack on WEP
(as the WEP Faq may have pointed out) are big. Some of the
older AP's are still shipped with 40 bit security. Some of
the cryptokeys are world readable in the registry on the
systems that have RLAN Nics installed, which is a big mistake.
So, dont just look at the hardware (Ok, do some SNMP & default
password checking) you need to look at the software side as well.


You are kidding right? If not, then what perfect solution do you propose? I
would agree that if anyone thinks WEP is the end all of wireless security,
they are sadly mistaken, but "Do not use it" is hardly an appropriate
answer. The answer is "use it, and other appropriate security measures".


Frequency hopping is security through obscurity, the hopping
sets are too predicable, i.e. the next frequency MUST be at least
3 frequencys up or down the list (subtract 7 frequencys out of
83). There are also only 3 Main sets of frequencys and IIRC 25
subsets of those, totalling ~75 frequency sequences.


Remember that in many cases (all?) the hoping information is also in packets
passing through the air, so a piece of code that could examine those packets
could be built to "follow the trail".


Phil

Current thread:

Re: [PEN-TEST] Penetrating Wireless Networks, (continued)
- Re: [PEN-TEST] Penetrating Wireless Networks Mark Seiden (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Max Gribov (Mar 07)
- Re: [PEN-TEST] Penetrating Wireless Networks Robert Stonehouse (Mar 08)
  - Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks van der Kooij, Hugo (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks Rafael Coninck Teigao (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks Weiss, Bill (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks Anton Rager (Mar 09)
    - Re: [PEN-TEST] Penetrating Wireless Networks mirza sahib (Mar 11)
- Re: [PEN-TEST] Penetrating Wireless Networks Ichinin (Mar 11)
  - Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 12)
    - Re: [PEN-TEST] Penetrating Wireless Networks Marc Mosko (Mar 12)
    - Re: [PEN-TEST] Penetrating Wireless Networks Ichinin (Mar 13)
    - Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 14)
- Re: [PEN-TEST] Penetrating Wireless Networks Frank Knobbe (Mar 08)
  - Re: [PEN-TEST] Penetrating Wireless Networks Marnix Petrarca (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Clarke, Matthew J (Mar 09)
- Re: [PEN-TEST] Penetrating Wireless Networks Bourque Daniel (Mar 13)
- Re: [PEN-TEST] Penetrating Wireless Networks Matteo,Marc A. (Mar 13)
  - Re: [PEN-TEST] Penetrating Wireless Networks Phil Cox (Mar 14)