Re: Dsniff'ng wireless networks

From: Joe Shaw (jshawat_private)
Date: Mon Jul 09 2001 - 14:51:19 PDT

Next message: Bourque Daniel: "RE: Dsniff'ng wireless networks"

Previous message: wojtekdat_private: "Re: SQL Server 7 question"
In reply to: ed.rolisonat_private: "Re: Dsniff'ng wireless networks"
Next in thread: Joe Shaw: "Re: Dsniff'ng wireless networks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 9 Jul 2001 ed.rolisonat_private wrote:

> Correct me if I'm wrong, but IIRC wireless lans are effectively switched.
> Each access point-NIC uses a separate encryption key (there are weaknesses
> but...)

Nope, this is not the case.  WEP Encryption at the access-point to NIC
requires a lot of overhead and effectively limits throughput at less than
2Mbps.  Now, one could use a software IPSec client and do IPSec over
the link, but most software clients promise no more than 128kbps
throughput.  An SSID can be utilized, but it's been my experience that
it's not hard to find out what the SSID is, since in Win32 platforms
it's listed in the clear in the hardware properties.  Also, I've found
it's generally the case that in a large wireless deployment, you will
find at least one 802.11b access point that has been (mis)configured to
broadcast SSID.

> and thus the NIC only 'sees' traffic being directed at it.
> It seems also that it's quite hard to get them to enter promiscuous mode for
> similar reasons - if it's listening to all the traffic, then the
> encryption breaks down.

I assure you, based on my own experience, this is not the case.

> You might have some joy, but the best I can see for collecting the datagrams
> would be something like
> a scanner (radio) interfaced to a computer. Of course, you still have to break
> the encryption, but there
> was an article posted to one of the securityfocus lists regarding 'weaknesses'
> in WEP.

Nope.  With an IBM Thinkpad, Aironet 4800 PCMCIA NIC, OpenBSD and libpcap
I wrote a very simple packet sniffer in C that I used to audit the
wireless network at my previous employer.  I then used dsniff and had no
problems grabbing passwords out of the air for various different services.
Althought I knew the SSID, I took the total outsider approach and learned
the SSID by catching it via the broadcast.  WEP was not used, because at
the time, Aironet/Cisco could not get WEP to work properly.

Regards,
--
Joseph W. Shaw II
Network Security Specialist/CCNA
Unemployed.  Will hack for food.  God Bless.
Apparently I'm overqualified but undereducated to be employed.

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

Next message: Bourque Daniel: "RE: Dsniff'ng wireless networks"
Previous message: wojtekdat_private: "Re: SQL Server 7 question"
In reply to: ed.rolisonat_private: "Re: Dsniff'ng wireless networks"
Next in thread: Joe Shaw: "Re: Dsniff'ng wireless networks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 08:09:45 PDT