On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote: > What about the claim by Cisco that the 350 couple with their Cisco Secure > Access Control permit to each user to have it's own key AND dynamic change > of thoses keys? It's proprietary software on top of their cards. I'm still waiting to see the software in action AND waiting to see Linux support. Till then, it's still vaporware. IAC, it's certainly NOT what you are going to find deployed in the field at this time. There is also the SLAN project up at SourceForge with is intended to address the Wireless encryption problem. That has Linux and Windows clients and is also suppose to address this, and not just be limited to Cisco cards. > -----Message d'origine----- > De: Michael H. Warfield [mailto:mhwat_private] > Date: 9 juillet, 2001 21:08 > À: ed.rolisonat_private > Cc: pen-testat_private > Objet: Re: Dsniff'ng wireless networks > > > On Mon, Jul 09, 2001 at 09:09:58AM +0100, ed.rolisonat_private wrote: > > > Correct me if I'm wrong, but IIRC wireless lans are effectively switched. > > You are wrong... They are broadcast media and one station can > sniff another station as long as it can receive the RF. Often, one > station might not be able to receive another stations RF because they > are out of range of each other but not out of range of the high-gain > access point antenna. But that is a far cry from "effectively switched" > and is NOT something to rely on for security! > > > Each access point-NIC uses a separate encryption key (there are weaknesses > > but...) > > You are VERY wrong. WEP uses a common shared key amongst ALL > of the stations. In order to move between access points within a > fully managed 802.11 network (multiple access points operating > in cooperation) then all the access points have to have the same > Network Name and WEP encryption keys. Most seem to support 4 decryption > keys (Rx) and a single encryption key (Tx - One of the four Rx keys) > but to have everything work uniformly, it would all have to be identical > and it's ALL shared secrets. > > > and thus the NIC only 'sees' traffic being directed at it. > > If that were true, then the WaveLAN sniffers would not be > very effective. In fact, they are VERY effective. > > > It seems also that it's quite hard to get them to enter promiscuous mode > for > > similar reasons - if > > it's listening to all the traffic, then the encryption breaks down. > > 1) It's a snap to get it into promiscuous mode. Tcpdump can do > it on Linux, no mods necessary. You see 802.3 (ethernet) style frames > and encapsulation. The 802.11 framing is stripped before presentation > to the application layer. > > 2) It's a little more difficult to get it into RF Management/Monitor > mode. In fact, we don't know how to get some cards (Lucent, Cabletron, etc) > into this mode where we can monitor access point management frames. Other > cards (Cisco Aironet 340 and 350) go into RF Management/Monitor mode very > readily. I have several. I've seen them in action. :-) I prefer the > 350. Better receive gain. Picks up much better than the 340. Also has > better transmit power (but I'm not usually transmitting :-) ). > > 3) On Linux, some driver patches are required to report the ENTIRE > 802.11 encapsulation to the application layer and then you need some > modified > libpcap libraries to handle them (they are different sized than 802.3). > Once you have that, you can find out the ESSID, the Network Name, various > AP parameters (like whether WEP is required or used), etc, etc, etc... > > Driving from home to work along a particular route, I know a dude > in a certain apartment complex has "Dougnet" while a medical office further > down the road has one named "toomanysecrets". It's amazing how many > have purchased a particular brand with a particular default network name > and I see "tsunami" showing up all over the map while driving around town. > > > You might have some joy, but the best I can see for collecting the > datagrams > > would be something like > > a scanner (radio) interfaced to a computer. Of course, you still have to > break > > the encryption, but there > > was an article posted to one of the securityfocus lists regarding > 'weaknesses' > > in WEP. > > Yes, there certainly are some "weaknesses" in WEP. You might want > to look them over. They're incredibly lame, like reusing the undersized > (24 bit) IV and NOT encorporating any station dependent information in > the IV or cypherstream (so cracking one station using known plaintext > cracks them all). Combined that with a simple XOR between the plaintext > and the cypherstream (making is subject to XOR reduction attacks) it's > really pretty bad. "Bag on head" bad... "Go home in shame" bad... > "Who forgot to invite the cryptographers to the meetings" bad... > > > (this is based on a little research I did into 802.11b YMMV) > > > Cheers > > Ed > > > CONFIDENTIALITY: > > This e-mail and any attachments are confidential and may be privileged. If > you > > are not a named recipient, please notify the sender immediately and do not > > disclose the contents to another person, use it for any purpose, or store > or > > copy the information in any medium. > > Mike > -- > Michael H. Warfield | (770) 985-6132 | mhwat_private > (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 15:53:44 PDT