On Mon, Jul 09, 2001 at 09:09:58AM +0100, ed.rolisonat_private wrote: > Correct me if I'm wrong, but IIRC wireless lans are effectively switched. You are wrong... They are broadcast media and one station can sniff another station as long as it can receive the RF. Often, one station might not be able to receive another stations RF because they are out of range of each other but not out of range of the high-gain access point antenna. But that is a far cry from "effectively switched" and is NOT something to rely on for security! > Each access point-NIC uses a separate encryption key (there are weaknesses > but...) You are VERY wrong. WEP uses a common shared key amongst ALL of the stations. In order to move between access points within a fully managed 802.11 network (multiple access points operating in cooperation) then all the access points have to have the same Network Name and WEP encryption keys. Most seem to support 4 decryption keys (Rx) and a single encryption key (Tx - One of the four Rx keys) but to have everything work uniformly, it would all have to be identical and it's ALL shared secrets. > and thus the NIC only 'sees' traffic being directed at it. If that were true, then the WaveLAN sniffers would not be very effective. In fact, they are VERY effective. > It seems also that it's quite hard to get them to enter promiscuous mode for > similar reasons - if > it's listening to all the traffic, then the encryption breaks down. 1) It's a snap to get it into promiscuous mode. Tcpdump can do it on Linux, no mods necessary. You see 802.3 (ethernet) style frames and encapsulation. The 802.11 framing is stripped before presentation to the application layer. 2) It's a little more difficult to get it into RF Management/Monitor mode. In fact, we don't know how to get some cards (Lucent, Cabletron, etc) into this mode where we can monitor access point management frames. Other cards (Cisco Aironet 340 and 350) go into RF Management/Monitor mode very readily. I have several. I've seen them in action. :-) I prefer the 350. Better receive gain. Picks up much better than the 340. Also has better transmit power (but I'm not usually transmitting :-) ). 3) On Linux, some driver patches are required to report the ENTIRE 802.11 encapsulation to the application layer and then you need some modified libpcap libraries to handle them (they are different sized than 802.3). Once you have that, you can find out the ESSID, the Network Name, various AP parameters (like whether WEP is required or used), etc, etc, etc... Driving from home to work along a particular route, I know a dude in a certain apartment complex has "Dougnet" while a medical office further down the road has one named "toomanysecrets". It's amazing how many have purchased a particular brand with a particular default network name and I see "tsunami" showing up all over the map while driving around town. > You might have some joy, but the best I can see for collecting the datagrams > would be something like > a scanner (radio) interfaced to a computer. Of course, you still have to break > the encryption, but there > was an article posted to one of the securityfocus lists regarding 'weaknesses' > in WEP. Yes, there certainly are some "weaknesses" in WEP. You might want to look them over. They're incredibly lame, like reusing the undersized (24 bit) IV and NOT encorporating any station dependent information in the IV or cypherstream (so cracking one station using known plaintext cracks them all). Combined that with a simple XOR between the plaintext and the cypherstream (making is subject to XOR reduction attacks) it's really pretty bad. "Bag on head" bad... "Go home in shame" bad... "Who forgot to invite the cryptographers to the meetings" bad... > (this is based on a little research I did into 802.11b YMMV) > Cheers > Ed > CONFIDENTIALITY: > This e-mail and any attachments are confidential and may be privileged. If you > are not a named recipient, please notify the sender immediately and do not > disclose the contents to another person, use it for any purpose, or store or > copy the information in any medium. Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 07:50:48 PDT