If you haven't done so yet, take a look at the revisions made for the next release of 802.11- specifically 802.11i a number of interesting improvements in the standard with regard to security. It has been significantly developed by Jesse Walker who is definately competent. Toby > -----Original Message----- > From: Dragos Ruiu [mailto:drat_private] > Sent: Wednesday, July 11, 2001 5:48 PM > To: Michael H. Warfield; Bourque Daniel > Cc: pen-testat_private > Subject: Re: Dsniff'ng wireless networks > > > IMHO the Cisco 350 (not the weaker gain cousin the 340) > is _the_ card to get.... if for no other reason than you can > crank that transmitter to a rangeful but unhealthy and > battery frying three times the normal power rating of > other typical cards (30mW vs. 100mW) or right down to > a less unhealthy and battery saving 1mW with the > OpenBSD drivers (and it works fine for me in an indoor > residential setting at this minimal power level). As > far as I have tested none of the other cards/chipsets give > you any useful power controls beyond the mostly lame > keep the transmitter on for so many milliseconds > settings which mostly mess up your link without > much savings. Never mind the fact that you can > also use this card to break the shamefully bad crypto. :-) > "Who forgot to invite the cryptographers?", indeed. > > cheers, > --dr > > > > On Tue, 10 Jul 2001, Michael H. Warfield wrote: > > On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote: > > > > > What about the claim by Cisco that the 350 couple with > their Cisco Secure > > > Access Control permit to each user to have it's own key > AND dynamic change > > > of thoses keys? > > > > It's proprietary software on top of their cards. I'm still > > waiting to see the software in action AND waiting to see > Linux support. > > Till then, it's still vaporware. IAC, it's certainly NOT > what you are > > going to find deployed in the field at this time. > > > > There is also the SLAN project up at SourceForge with > is intended > > to address the Wireless encryption problem. That has Linux > and Windows > > clients and is also suppose to address this, and not just be limited > > to Cisco cards. > > > > > -----Message d'origine----- > > > De: Michael H. Warfield [mailto:mhwat_private] > > > Date: 9 juillet, 2001 21:08 > > > À: ed.rolisonat_private > > > Cc: pen-testat_private > > > Objet: Re: Dsniff'ng wireless networks > > > > > > > > > On Mon, Jul 09, 2001 at 09:09:58AM +0100, > ed.rolisonat_private wrote: > > > > > > > Correct me if I'm wrong, but IIRC wireless lans are > effectively switched. > > > > > > You are wrong... They are broadcast media and one station can > > > sniff another station as long as it can receive the RF. > Often, one > > > station might not be able to receive another stations RF > because they > > > are out of range of each other but not out of range of > the high-gain > > > access point antenna. But that is a far cry from > "effectively switched" > > > and is NOT something to rely on for security! > > > > > > > Each access point-NIC uses a separate encryption key > (there are weaknesses > > > > but...) > > > > > > You are VERY wrong. WEP uses a common shared key amongst ALL > > > of the stations. In order to move between access points within a > > > fully managed 802.11 network (multiple access points operating > > > in cooperation) then all the access points have to have the same > > > Network Name and WEP encryption keys. Most seem to > support 4 decryption > > > keys (Rx) and a single encryption key (Tx - One of the > four Rx keys) > > > but to have everything work uniformly, it would all have > to be identical > > > and it's ALL shared secrets. > > > > > > > and thus the NIC only 'sees' traffic being directed at it. > > > > > > If that were true, then the WaveLAN sniffers would not be > > > very effective. In fact, they are VERY effective. > > > > > > > It seems also that it's quite hard to get them to enter > promiscuous mode > > > for > > > > similar reasons - if > > > > it's listening to all the traffic, then the encryption > breaks down. > > > > > > 1) It's a snap to get it into promiscuous mode. Tcpdump can do > > > it on Linux, no mods necessary. You see 802.3 (ethernet) > style frames > > > and encapsulation. The 802.11 framing is stripped before > presentation > > > to the application layer. > > > > > > 2) It's a little more difficult to get it into RF > Management/Monitor > > > mode. In fact, we don't know how to get some cards > (Lucent, Cabletron, etc) > > > into this mode where we can monitor access point > management frames. Other > > > cards (Cisco Aironet 340 and 350) go into RF > Management/Monitor mode very > > > readily. I have several. I've seen them in action. :-) > I prefer the > > > 350. Better receive gain. Picks up much better than the > 340. Also has > > > better transmit power (but I'm not usually transmitting :-) ). > > > > > > 3) On Linux, some driver patches are required to report > the ENTIRE > > > 802.11 encapsulation to the application layer and then > you need some > > > modified > > > libpcap libraries to handle them (they are different > sized than 802.3). > > > Once you have that, you can find out the ESSID, the > Network Name, various > > > AP parameters (like whether WEP is required or used), > etc, etc, etc... > > > > > > Driving from home to work along a particular route, I > know a dude > > > in a certain apartment complex has "Dougnet" while a > medical office further > > > down the road has one named "toomanysecrets". It's > amazing how many > > > have purchased a particular brand with a particular > default network name > > > and I see "tsunami" showing up all over the map while > driving around town. > > > > > > > You might have some joy, but the best I can see for > collecting the > > > datagrams > > > > would be something like > > > > a scanner (radio) interfaced to a computer. Of course, > you still have to > > > break > > > > the encryption, but there > > > > was an article posted to one of the securityfocus lists > regarding > > > 'weaknesses' > > > > in WEP. > > > > > > Yes, there certainly are some "weaknesses" in WEP. You > might want > > > to look them over. They're incredibly lame, like reusing > the undersized > > > (24 bit) IV and NOT encorporating any station dependent > information in > > > the IV or cypherstream (so cracking one station using > known plaintext > > > cracks them all). Combined that with a simple XOR > between the plaintext > > > and the cypherstream (making is subject to XOR reduction > attacks) it's > > > really pretty bad. "Bag on head" bad... "Go home in > shame" bad... > > > "Who forgot to invite the cryptographers to the meetings" bad... > > > > > > > (this is based on a little research I did into 802.11b YMMV) > > > > > > > Cheers > > > > Ed > > > > > > > CONFIDENTIALITY: > > > > This e-mail and any attachments are confidential and > may be privileged. If > > > you > > > > are not a named recipient, please notify the sender > immediately and do not > > > > disclose the contents to another person, use it for any > purpose, or store > > > or > > > > copy the information in any medium. > > > > > > Mike > > > -- > > > Michael H. Warfield | (770) 985-6132 | mhwat_private > > > (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ > > NIC whois: MHW9 | An optimist believes we live in the best of all > > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > Mike > -- > Michael H. Warfield | (770) 985-6132 | mhwat_private > (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ -- Dragos Ruiu <drat_private> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 14:48:53 PDT