None of them are in use and even once the standard gets approved, it will still be another 8 months before vendors send out silicon that supports it. toby > -----Original Message----- > From: R. DuFresne [mailto:dufresneat_private] > Sent: Thursday, July 12, 2001 4:08 PM > To: Kohlenberg, Toby > Cc: 'Dragos Ruiu'; Michael H. Warfield; Bourque Daniel; > pen-testat_private > Subject: RE: Dsniff'ng wireless networks > > > > Yes, still, how many of those improvements are currently in use? > > > Thanks, > > Ron DuFresne > > On Thu, 12 Jul 2001, Kohlenberg, Toby wrote: > > > If you haven't done so yet, take a look at the revisions > > made for the next release of 802.11- specifically 802.11i > > a number of interesting improvements in the standard with > > regard to security. It has been significantly developed by > > Jesse Walker who is definately competent. > > > > Toby > > > > > -----Original Message----- > > > From: Dragos Ruiu [mailto:drat_private] > > > Sent: Wednesday, July 11, 2001 5:48 PM > > > To: Michael H. Warfield; Bourque Daniel > > > Cc: pen-testat_private > > > Subject: Re: Dsniff'ng wireless networks > > > > > > > > > IMHO the Cisco 350 (not the weaker gain cousin the 340) > > > is _the_ card to get.... if for no other reason than you can > > > crank that transmitter to a rangeful but unhealthy and > > > battery frying three times the normal power rating of > > > other typical cards (30mW vs. 100mW) or right down to > > > a less unhealthy and battery saving 1mW with the > > > OpenBSD drivers (and it works fine for me in an indoor > > > residential setting at this minimal power level). As > > > far as I have tested none of the other cards/chipsets give > > > you any useful power controls beyond the mostly lame > > > keep the transmitter on for so many milliseconds > > > settings which mostly mess up your link without > > > much savings. Never mind the fact that you can > > > also use this card to break the shamefully bad crypto. :-) > > > "Who forgot to invite the cryptographers?", indeed. > > > > > > cheers, > > > --dr > > > > > > > > > > > > On Tue, 10 Jul 2001, Michael H. Warfield wrote: > > > > On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque Daniel wrote: > > > > > > > > > What about the claim by Cisco that the 350 couple with > > > their Cisco Secure > > > > > Access Control permit to each user to have it's own key > > > AND dynamic change > > > > > of thoses keys? > > > > > > > > It's proprietary software on top of their > cards. I'm still > > > > waiting to see the software in action AND waiting to see > > > Linux support. > > > > Till then, it's still vaporware. IAC, it's certainly NOT > > > what you are > > > > going to find deployed in the field at this time. > > > > > > > > There is also the SLAN project up at SourceForge with > > > is intended > > > > to address the Wireless encryption problem. That has Linux > > > and Windows > > > > clients and is also suppose to address this, and not > just be limited > > > > to Cisco cards. > > > > > > > > > -----Message d'origine----- > > > > > De: Michael H. Warfield [mailto:mhwat_private] > > > > > Date: 9 juillet, 2001 21:08 > > > > > À: ed.rolisonat_private > > > > > Cc: pen-testat_private > > > > > Objet: Re: Dsniff'ng wireless networks > > > > > > > > > > > > > > > On Mon, Jul 09, 2001 at 09:09:58AM +0100, > > > ed.rolisonat_private wrote: > > > > > > > > > > > Correct me if I'm wrong, but IIRC wireless lans are > > > effectively switched. > > > > > > > > > > You are wrong... They are broadcast media and > one station can > > > > > sniff another station as long as it can receive the RF. > > > Often, one > > > > > station might not be able to receive another stations RF > > > because they > > > > > are out of range of each other but not out of range of > > > the high-gain > > > > > access point antenna. But that is a far cry from > > > "effectively switched" > > > > > and is NOT something to rely on for security! > > > > > > > > > > > Each access point-NIC uses a separate encryption key > > > (there are weaknesses > > > > > > but...) > > > > > > > > > > You are VERY wrong. WEP uses a common shared > key amongst ALL > > > > > of the stations. In order to move between access > points within a > > > > > fully managed 802.11 network (multiple access points operating > > > > > in cooperation) then all the access points have to > have the same > > > > > Network Name and WEP encryption keys. Most seem to > > > support 4 decryption > > > > > keys (Rx) and a single encryption key (Tx - One of the > > > four Rx keys) > > > > > but to have everything work uniformly, it would all have > > > to be identical > > > > > and it's ALL shared secrets. > > > > > > > > > > > and thus the NIC only 'sees' traffic being directed at it. > > > > > > > > > > If that were true, then the WaveLAN sniffers > would not be > > > > > very effective. In fact, they are VERY effective. > > > > > > > > > > > It seems also that it's quite hard to get them to enter > > > promiscuous mode > > > > > for > > > > > > similar reasons - if > > > > > > it's listening to all the traffic, then the encryption > > > breaks down. > > > > > > > > > > 1) It's a snap to get it into promiscuous mode. > Tcpdump can do > > > > > it on Linux, no mods necessary. You see 802.3 (ethernet) > > > style frames > > > > > and encapsulation. The 802.11 framing is stripped before > > > presentation > > > > > to the application layer. > > > > > > > > > > 2) It's a little more difficult to get it into RF > > > Management/Monitor > > > > > mode. In fact, we don't know how to get some cards > > > (Lucent, Cabletron, etc) > > > > > into this mode where we can monitor access point > > > management frames. Other > > > > > cards (Cisco Aironet 340 and 350) go into RF > > > Management/Monitor mode very > > > > > readily. I have several. I've seen them in action. :-) > > > I prefer the > > > > > 350. Better receive gain. Picks up much better than the > > > 340. Also has > > > > > better transmit power (but I'm not usually transmitting :-) ). > > > > > > > > > > 3) On Linux, some driver patches are required to report > > > the ENTIRE > > > > > 802.11 encapsulation to the application layer and then > > > you need some > > > > > modified > > > > > libpcap libraries to handle them (they are different > > > sized than 802.3). > > > > > Once you have that, you can find out the ESSID, the > > > Network Name, various > > > > > AP parameters (like whether WEP is required or used), > > > etc, etc, etc... > > > > > > > > > > Driving from home to work along a particular route, I > > > know a dude > > > > > in a certain apartment complex has "Dougnet" while a > > > medical office further > > > > > down the road has one named "toomanysecrets". It's > > > amazing how many > > > > > have purchased a particular brand with a particular > > > default network name > > > > > and I see "tsunami" showing up all over the map while > > > driving around town. > > > > > > > > > > > You might have some joy, but the best I can see for > > > collecting the > > > > > datagrams > > > > > > would be something like > > > > > > a scanner (radio) interfaced to a computer. Of course, > > > you still have to > > > > > break > > > > > > the encryption, but there > > > > > > was an article posted to one of the securityfocus lists > > > regarding > > > > > 'weaknesses' > > > > > > in WEP. > > > > > > > > > > Yes, there certainly are some "weaknesses" in WEP. You > > > might want > > > > > to look them over. They're incredibly lame, like reusing > > > the undersized > > > > > (24 bit) IV and NOT encorporating any station dependent > > > information in > > > > > the IV or cypherstream (so cracking one station using > > > known plaintext > > > > > cracks them all). Combined that with a simple XOR > > > between the plaintext > > > > > and the cypherstream (making is subject to XOR reduction > > > attacks) it's > > > > > really pretty bad. "Bag on head" bad... "Go home in > > > shame" bad... > > > > > "Who forgot to invite the cryptographers to the > meetings" bad... > > > > > > > > > > > (this is based on a little research I did into 802.11b YMMV) > > > > > > > > > > > Cheers > > > > > > Ed > > > > > > > > > > > CONFIDENTIALITY: > > > > > > This e-mail and any attachments are confidential and > > > may be privileged. If > > > > > you > > > > > > are not a named recipient, please notify the sender > > > immediately and do not > > > > > > disclose the contents to another person, use it for any > > > purpose, or store > > > > > or > > > > > > copy the information in any medium. > > > > > > > > > > Mike > > > > > -- > > > > > Michael H. Warfield | (770) 985-6132 | > mhwat_private > > > > > (The Mad Wizard) | (678) 463-0932 | > > http://www.wittsend.com/mhw/ > > > > NIC whois: MHW9 | An optimist believes we live > in the best of > > all > > > > PGP Key: 0xDF1DD471 | possible worlds. A > pessimist is sure of it! > > > > > > Mike > > > -- > > > Michael H. Warfield | (770) 985-6132 | mhwat_private > > > (The Mad Wizard) | (678) 463-0932 | > > http://www.wittsend.com/mhw/ > > > NIC whois: MHW9 | An optimist believes we live > in the best of all > > > PGP Key: 0xDF1DD471 | possible worlds. A pessimist > is sure of it! > > > > > > > > > > > > -------------------------------------------------------------- > -------------- > > > This list is provided by the SecurityFocus Security > Intelligence Alert > > (SIA) > > > Service For more information on SecurityFocus' SIA service which > > > automatically alerts you to the latest security > vulnerabilities please > > see: > > > https://alerts.securityfocus.com/ > > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior consultant: darkstar.sysinfo.com > http://darkstar.sysinfo.com > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 17:55:55 PDT