In any case, they can't seem to make up their minds! Imagine standards bodies not always employing System Security Engineering methodologies... or realize! http://www.zdnet.com/enterprise/stories/main/0,10228,2783681,00.html mgr Mike Ruscher, ITS Specialist I2, CSE/CST mgruscher@cse-cst.gc.ca Phone: +1 613 991-8040 ED/C200 http://www.cse-cst.gc.ca The opinions expressed in this correspondence are mine and mine alone, and are in no way, shape, or form to be interpreted as those of my employer. > -----Original Message----- > From: Kohlenberg, Toby [mailto:toby.kohlenbergat_private] > Sent: Thursday, July 12, 2001 7:36 PM > To: 'R. DuFresne'; Kohlenberg, Toby > Cc: 'Dragos Ruiu'; Michael H. Warfield; Bourque Daniel; > pen-testat_private > Subject: RE: Dsniff'ng wireless networks > > > None of them are in use and even once the standard gets approved, > it will still be another 8 months before vendors send out silicon > that supports it. > > toby > > > -----Original Message----- > > From: R. DuFresne [mailto:dufresneat_private] > > Sent: Thursday, July 12, 2001 4:08 PM > > To: Kohlenberg, Toby > > Cc: 'Dragos Ruiu'; Michael H. Warfield; Bourque Daniel; > > pen-testat_private > > Subject: RE: Dsniff'ng wireless networks > > > > > > > > Yes, still, how many of those improvements are currently in use? > > > > > > Thanks, > > > > Ron DuFresne > > > > On Thu, 12 Jul 2001, Kohlenberg, Toby wrote: > > > > > If you haven't done so yet, take a look at the revisions > > > made for the next release of 802.11- specifically 802.11i > > > a number of interesting improvements in the standard with > > > regard to security. It has been significantly developed by > > > Jesse Walker who is definately competent. > > > > > > Toby > > > > > > > -----Original Message----- > > > > From: Dragos Ruiu [mailto:drat_private] > > > > Sent: Wednesday, July 11, 2001 5:48 PM > > > > To: Michael H. Warfield; Bourque Daniel > > > > Cc: pen-testat_private > > > > Subject: Re: Dsniff'ng wireless networks > > > > > > > > > > > > IMHO the Cisco 350 (not the weaker gain cousin the 340) > > > > is _the_ card to get.... if for no other reason than you can > > > > crank that transmitter to a rangeful but unhealthy and > > > > battery frying three times the normal power rating of > > > > other typical cards (30mW vs. 100mW) or right down to > > > > a less unhealthy and battery saving 1mW with the > > > > OpenBSD drivers (and it works fine for me in an indoor > > > > residential setting at this minimal power level). As > > > > far as I have tested none of the other cards/chipsets give > > > > you any useful power controls beyond the mostly lame > > > > keep the transmitter on for so many milliseconds > > > > settings which mostly mess up your link without > > > > much savings. Never mind the fact that you can > > > > also use this card to break the shamefully bad crypto. :-) > > > > "Who forgot to invite the cryptographers?", indeed. > > > > > > > > cheers, > > > > --dr > > > > > > > > > > > > > > > > On Tue, 10 Jul 2001, Michael H. Warfield wrote: > > > > > On Tue, Jul 10, 2001 at 11:04:34AM -0400, Bourque > Daniel wrote: > > > > > > > > > > > What about the claim by Cisco that the 350 couple with > > > > their Cisco Secure > > > > > > Access Control permit to each user to have it's own key > > > > AND dynamic change > > > > > > of thoses keys? > > > > > > > > > > It's proprietary software on top of their > > cards. I'm still > > > > > waiting to see the software in action AND waiting to see > > > > Linux support. > > > > > Till then, it's still vaporware. IAC, it's certainly NOT > > > > what you are > > > > > going to find deployed in the field at this time. > > > > > > > > > > There is also the SLAN project up at SourceForge with > > > > is intended > > > > > to address the Wireless encryption problem. That has Linux > > > > and Windows > > > > > clients and is also suppose to address this, and not > > just be limited > > > > > to Cisco cards. > > > > > > > > > > > -----Message d'origine----- > > > > > > De: Michael H. Warfield [mailto:mhwat_private] > > > > > > Date: 9 juillet, 2001 21:08 > > > > > > À: ed.rolisonat_private > > > > > > Cc: pen-testat_private > > > > > > Objet: Re: Dsniff'ng wireless networks > > > > > > > > > > > > > > > > > > On Mon, Jul 09, 2001 at 09:09:58AM +0100, > > > > ed.rolisonat_private wrote: > > > > > > > > > > > > > Correct me if I'm wrong, but IIRC wireless lans are > > > > effectively switched. > > > > > > > > > > > > You are wrong... They are broadcast media and > > one station can > > > > > > sniff another station as long as it can receive the RF. > > > > Often, one > > > > > > station might not be able to receive another stations RF > > > > because they > > > > > > are out of range of each other but not out of range of > > > > the high-gain > > > > > > access point antenna. But that is a far cry from > > > > "effectively switched" > > > > > > and is NOT something to rely on for security! > > > > > > > > > > > > > Each access point-NIC uses a separate encryption key > > > > (there are weaknesses > > > > > > > but...) > > > > > > > > > > > > You are VERY wrong. WEP uses a common shared > > key amongst ALL > > > > > > of the stations. In order to move between access > > points within a > > > > > > fully managed 802.11 network (multiple access > points operating > > > > > > in cooperation) then all the access points have to > > have the same > > > > > > Network Name and WEP encryption keys. Most seem to > > > > support 4 decryption > > > > > > keys (Rx) and a single encryption key (Tx - One of the > > > > four Rx keys) > > > > > > but to have everything work uniformly, it would all have > > > > to be identical > > > > > > and it's ALL shared secrets. > > > > > > > > > > > > > and thus the NIC only 'sees' traffic being directed at it. > > > > > > > > > > > > If that were true, then the WaveLAN sniffers > > would not be > > > > > > very effective. In fact, they are VERY effective. > > > > > > > > > > > > > It seems also that it's quite hard to get them to enter > > > > promiscuous mode > > > > > > for > > > > > > > similar reasons - if > > > > > > > it's listening to all the traffic, then the encryption > > > > breaks down. > > > > > > > > > > > > 1) It's a snap to get it into promiscuous mode. > > Tcpdump can do > > > > > > it on Linux, no mods necessary. You see 802.3 (ethernet) > > > > style frames > > > > > > and encapsulation. The 802.11 framing is stripped before > > > > presentation > > > > > > to the application layer. > > > > > > > > > > > > 2) It's a little more difficult to get it into RF > > > > Management/Monitor > > > > > > mode. In fact, we don't know how to get some cards > > > > (Lucent, Cabletron, etc) > > > > > > into this mode where we can monitor access point > > > > management frames. Other > > > > > > cards (Cisco Aironet 340 and 350) go into RF > > > > Management/Monitor mode very > > > > > > readily. I have several. I've seen them in action. :-) > > > > I prefer the > > > > > > 350. Better receive gain. Picks up much better than the > > > > 340. Also has > > > > > > better transmit power (but I'm not usually > transmitting :-) ). > > > > > > > > > > > > 3) On Linux, some driver patches are required to report > > > > the ENTIRE > > > > > > 802.11 encapsulation to the application layer and then > > > > you need some > > > > > > modified > > > > > > libpcap libraries to handle them (they are different > > > > sized than 802.3). > > > > > > Once you have that, you can find out the ESSID, the > > > > Network Name, various > > > > > > AP parameters (like whether WEP is required or used), > > > > etc, etc, etc... > > > > > > > > > > > > Driving from home to work along a particular route, I > > > > know a dude > > > > > > in a certain apartment complex has "Dougnet" while a > > > > medical office further > > > > > > down the road has one named "toomanysecrets". It's > > > > amazing how many > > > > > > have purchased a particular brand with a particular > > > > default network name > > > > > > and I see "tsunami" showing up all over the map while > > > > driving around town. > > > > > > > > > > > > > You might have some joy, but the best I can see for > > > > collecting the > > > > > > datagrams > > > > > > > would be something like > > > > > > > a scanner (radio) interfaced to a computer. Of course, > > > > you still have to > > > > > > break > > > > > > > the encryption, but there > > > > > > > was an article posted to one of the securityfocus lists > > > > regarding > > > > > > 'weaknesses' > > > > > > > in WEP. > > > > > > > > > > > > Yes, there certainly are some "weaknesses" in WEP. You > > > > might want > > > > > > to look them over. They're incredibly lame, like reusing > > > > the undersized > > > > > > (24 bit) IV and NOT encorporating any station dependent > > > > information in > > > > > > the IV or cypherstream (so cracking one station using > > > > known plaintext > > > > > > cracks them all). Combined that with a simple XOR > > > > between the plaintext > > > > > > and the cypherstream (making is subject to XOR reduction > > > > attacks) it's > > > > > > really pretty bad. "Bag on head" bad... "Go home in > > > > shame" bad... > > > > > > "Who forgot to invite the cryptographers to the > > meetings" bad... > > > > > > > > > > > > > (this is based on a little research I did into > 802.11b YMMV) > > > > > > > > > > > > > Cheers > > > > > > > Ed > > > > > > > > > > > > > CONFIDENTIALITY: > > > > > > > This e-mail and any attachments are confidential and > > > > may be privileged. If > > > > > > you > > > > > > > are not a named recipient, please notify the sender > > > > immediately and do not > > > > > > > disclose the contents to another person, use it for any > > > > purpose, or store > > > > > > or > > > > > > > copy the information in any medium. > > > > > > > > > > > > Mike > > > > > > -- > > > > > > Michael H. Warfield | (770) 985-6132 | > > mhwat_private > > > > > > (The Mad Wizard) | (678) 463-0932 | > > > http://www.wittsend.com/mhw/ > > > > > NIC whois: MHW9 | An optimist believes we live > > in the best of > > > all > > > > > PGP Key: 0xDF1DD471 | possible worlds. A > > pessimist is sure of it! > > > > > > > > Mike > > > > -- > > > > Michael H. Warfield | (770) 985-6132 | mhwat_private > > > > (The Mad Wizard) | (678) 463-0932 | > > > http://www.wittsend.com/mhw/ > > > > NIC whois: MHW9 | An optimist believes we live > > in the best of all > > > > PGP Key: 0xDF1DD471 | possible worlds. A pessimist > > is sure of it! > > > > > > > > > > > > > > > > > -------------------------------------------------------------- > > -------------- > > > > This list is provided by the SecurityFocus Security > > Intelligence Alert > > > (SIA) > > > > Service For more information on SecurityFocus' SIA service which > > > > automatically alerts you to the latest security > > vulnerabilities please > > > see: > > > > https://alerts.securityfocus.com/ > > > > > > > -- > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > admin & senior consultant: darkstar.sysinfo.com > > http://darkstar.sysinfo.com > > > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." > > -- Johnny Hart > > > > testing, only testing, and damn good at it too! > > > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:51:20 PDT