Re: [PEN-TEST] wireless LAN traffic sniffing

From: Frank Knobbe (FKnobbeat_private)
Date: Wed May 02 2001 - 06:59:40 PDT

Next message: Torgeir Hansen: "Re: [PEN-TEST] wireless LAN traffic sniffing"

Previous message: Torgeir Hansen: "Re: [PEN-TEST] Replaying arbitrary packets"
Next in thread: Desmond Irvine: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Next in thread: Torgeir Hansen: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Reply: Desmond Irvine: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Bram Shirani [mailto:kamat_private]
> Sent: Tuesday, May 01, 2001 12:42 PM
>
> [...]
> Bottom line, any card can sniff, if you've got the right
> tools. Don't get hung up on the output letting you know that
> the card is.


- From what I understand, that statement is wrong for wireless cards.
In order to sniff wireless traffic (packets from all stations
connected to the same access point you sniffer is 'tuned' into), the
driver changes the behavior of the RTS/CTS handshake in the 802.11b
protocol. The way data is transmitted in wireless and on the wire is
completely different. On the wire you can implement CSMA/CD very
easily. Listen before you send, then send and listen to what you
send. If garbled (collision), send again. That's possible because all
stations are on the same media. With wireless you don't have that
luxury. All stations are not on the same wire, so the sending station
can't detect a collision. The AP can detect the collision. I don't
fully understand the handshaking myself (a timing sheet would be
helpful :), but that is the reason you have the RTS/CTS handshaking
in the signals. That way stations can detect, or more precisely
avoid, collisions.

Since the way wired cards and wireless cards differ in the
transmission of packets, and receipt of packets, the way they sniff
is different too. As mentioned before, if a wireless card is in
'sniffing' mode, call it promiscuous if you like, it can not send
data at the same time since the handshaking is now handled
differently. When sniffing, the handshaking emulates other wireless
stations so that it can receive their packets. As far as I know, the
handshake is never completed so the AP re-sends the packet, this time
to the real station.

The statement about 'any card can sniff' could be true if you focus
solely on the hardware. Yeah, with a hacked driver for a Linksys, you
could sniff with it as well. Problems is that it seems a proper
implementation of the promiscuous mode doesn't seem to be easy, and
hacked drivers appear hard to come by. I said earlier that I'm aware
of only two cards that offer such driver. If you know about other
drivers, please feel free to share it with us.

Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOvASzJytSsEygtEFEQL10ACgkr53FuXHS75GnxAXY8bPVE5um3IAmgPz
knKmArMEh79JEhLxPQJzfhM0
=nION
-----END PGP SIGNATURE-----

Next message: Torgeir Hansen: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Previous message: Torgeir Hansen: "Re: [PEN-TEST] Replaying arbitrary packets"
Next in thread: Desmond Irvine: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Next in thread: Torgeir Hansen: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Reply: Desmond Irvine: "Re: [PEN-TEST] wireless LAN traffic sniffing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 02 2001 - 09:24:20 PDT