Yes, still, how many of those improvements are currently in use? Thanks, Ron DuFresne On Thu, 12 Jul 2001, Kohlenberg, Toby wrote: > If you haven't done so yet, take a look at the revisions > made for the next release of 802.11- specifically 802.11i > a number of interesting improvements in the standard with > regard to security. It has been significantly developed by > Jesse Walker who is definately competent. > > Toby > > > -----Original Message----- > > From: Dragos Ruiu [mailto:drat_private] > > Sent: Wednesday, July 11, 2001 5:48 PM > > To: Michael H. Warfield; Bourque Daniel > > Cc: pen-testat_private > > Subject: Re: Dsniff'ng wireless networks > > > > > > IMHO the Cisco 350 (not the weaker gain cousin the 340) > > is _the_ card to get.... if for no other reason than you can > > crank that transmitter to a rangeful but unhealthy and > > battery frying three times the normal power rating of > > other typical cards (30mW vs. 100mW) or right down to > > a less unhealthy and battery saving 1mW with the > > OpenBSD drivers (and it works fine for me in an indoor > > residential setting at this minimal power level). As > > far as I have tested none of the other cards/chipsets give > > you any useful power controls beyond the mostly lame > > keep the transmitter on for so many milliseconds > > settings which mostly mess up your link without > > much savings. Never mind the fact that you can > > also use this card to break the shamefully bad crypto. :-) > > "Who forgot to invite the cryptographers?", indeed. > > > > cheers, > > --dr > > > > > > > > On Tue, 10 Jul 2001, Michael H. Warfield wrote: > > > On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote: > > > > > > > What about the claim by Cisco that the 350 couple with > > their Cisco Secure > > > > Access Control permit to each user to have it's own key > > AND dynamic change > > > > of thoses keys? > > > > > > It's proprietary software on top of their cards. I'm still > > > waiting to see the software in action AND waiting to see > > Linux support. > > > Till then, it's still vaporware. IAC, it's certainly NOT > > what you are > > > going to find deployed in the field at this time. > > > > > > There is also the SLAN project up at SourceForge with > > is intended > > > to address the Wireless encryption problem. That has Linux > > and Windows > > > clients and is also suppose to address this, and not just be limited > > > to Cisco cards. > > > > > > > -----Message d'origine----- > > > > De: Michael H. Warfield [mailto:mhwat_private] > > > > Date: 9 juillet, 2001 21:08 > > > > À: ed.rolisonat_private > > > > Cc: pen-testat_private > > > > Objet: Re: Dsniff'ng wireless networks > > > > > > > > > > > > On Mon, Jul 09, 2001 at 09:09:58AM +0100, > > ed.rolisonat_private wrote: > > > > > > > > > Correct me if I'm wrong, but IIRC wireless lans are > > effectively switched. > > > > > > > > You are wrong... They are broadcast media and one station can > > > > sniff another station as long as it can receive the RF. > > Often, one > > > > station might not be able to receive another stations RF > > because they > > > > are out of range of each other but not out of range of > > the high-gain > > > > access point antenna. But that is a far cry from > > "effectively switched" > > > > and is NOT something to rely on for security! > > > > > > > > > Each access point-NIC uses a separate encryption key > > (there are weaknesses > > > > > but...) > > > > > > > > You are VERY wrong. WEP uses a common shared key amongst ALL > > > > of the stations. In order to move between access points within a > > > > fully managed 802.11 network (multiple access points operating > > > > in cooperation) then all the access points have to have the same > > > > Network Name and WEP encryption keys. Most seem to > > support 4 decryption > > > > keys (Rx) and a single encryption key (Tx - One of the > > four Rx keys) > > > > but to have everything work uniformly, it would all have > > to be identical > > > > and it's ALL shared secrets. > > > > > > > > > and thus the NIC only 'sees' traffic being directed at it. > > > > > > > > If that were true, then the WaveLAN sniffers would not be > > > > very effective. In fact, they are VERY effective. > > > > > > > > > It seems also that it's quite hard to get them to enter > > promiscuous mode > > > > for > > > > > similar reasons - if > > > > > it's listening to all the traffic, then the encryption > > breaks down. > > > > > > > > 1) It's a snap to get it into promiscuous mode. Tcpdump can do > > > > it on Linux, no mods necessary. You see 802.3 (ethernet) > > style frames > > > > and encapsulation. The 802.11 framing is stripped before > > presentation > > > > to the application layer. > > > > > > > > 2) It's a little more difficult to get it into RF > > Management/Monitor > > > > mode. In fact, we don't know how to get some cards > > (Lucent, Cabletron, etc) > > > > into this mode where we can monitor access point > > management frames. Other > > > > cards (Cisco Aironet 340 and 350) go into RF > > Management/Monitor mode very > > > > readily. I have several. I've seen them in action. :-) > > I prefer the > > > > 350. Better receive gain. Picks up much better than the > > 340. Also has > > > > better transmit power (but I'm not usually transmitting :-) ). > > > > > > > > 3) On Linux, some driver patches are required to report > > the ENTIRE > > > > 802.11 encapsulation to the application layer and then > > you need some > > > > modified > > > > libpcap libraries to handle them (they are different > > sized than 802.3). > > > > Once you have that, you can find out the ESSID, the > > Network Name, various > > > > AP parameters (like whether WEP is required or used), > > etc, etc, etc... > > > > > > > > Driving from home to work along a particular route, I > > know a dude > > > > in a certain apartment complex has "Dougnet" while a > > medical office further > > > > down the road has one named "toomanysecrets". It's > > amazing how many > > > > have purchased a particular brand with a particular > > default network name > > > > and I see "tsunami" showing up all over the map while > > driving around town. > > > > > > > > > You might have some joy, but the best I can see for > > collecting the > > > > datagrams > > > > > would be something like > > > > > a scanner (radio) interfaced to a computer. Of course, > > you still have to > > > > break > > > > > the encryption, but there > > > > > was an article posted to one of the securityfocus lists > > regarding > > > > 'weaknesses' > > > > > in WEP. > > > > > > > > Yes, there certainly are some "weaknesses" in WEP. You > > might want > > > > to look them over. They're incredibly lame, like reusing > > the undersized > > > > (24 bit) IV and NOT encorporating any station dependent > > information in > > > > the IV or cypherstream (so cracking one station using > > known plaintext > > > > cracks them all). Combined that with a simple XOR > > between the plaintext > > > > and the cypherstream (making is subject to XOR reduction > > attacks) it's > > > > really pretty bad. "Bag on head" bad... "Go home in > > shame" bad... > > > > "Who forgot to invite the cryptographers to the meetings" bad... > > > > > > > > > (this is based on a little research I did into 802.11b YMMV) > > > > > > > > > Cheers > > > > > Ed > > > > > > > > > CONFIDENTIALITY: > > > > > This e-mail and any attachments are confidential and > > may be privileged. If > > > > you > > > > > are not a named recipient, please notify the sender > > immediately and do not > > > > > disclose the contents to another person, use it for any > > purpose, or store > > > > or > > > > > copy the information in any medium. > > > > > > > > Mike > > > > -- > > > > Michael H. Warfield | (770) 985-6132 | mhwat_private > > > > (The Mad Wizard) | (678) 463-0932 | > http://www.wittsend.com/mhw/ > > > NIC whois: MHW9 | An optimist believes we live in the best of > all > > > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > > > Mike > > -- > > Michael H. Warfield | (770) 985-6132 | mhwat_private > > (The Mad Wizard) | (678) 463-0932 | > http://www.wittsend.com/mhw/ > > NIC whois: MHW9 | An optimist believes we live in the best of all > > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > > > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > > Service For more information on SecurityFocus' SIA service which > > automatically alerts you to the latest security vulnerabilities please > see: > > https://alerts.securityfocus.com/ > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 17:54:38 PDT