RE: Wireless Lans give EVERYONE ACCESS

From: sa7ori (sa7oriat_private)
Date: Fri Aug 10 2001 - 11:18:52 PDT

  • Next message: Ron DuFresne: "RE: CR II - winME? confirmation? (Slightly OT)"

    Additionally, one of the problems with the idea of placing a "network
    sniffer" on an "active" 802.11b NIC, is that you WONT receive packets from
    the Access Point unless you have successfully authenticated, and the
    firmware in the card has flipped some Rx bit. Many people have suggested
    using utils like HUNT, and Airopeek...but the best method I have found is
    to use WaveLan PC card and hack the drivers manually....granted, it can be
    a fairly daunting task but rewarding nontheless. If you dont care to do
    any work, there are such utilites for PRiSM based chipsets floting about
    on the net.
    
    On Thu, 9 Aug 2001, Jonas Thambert wrote:
    
    > WLAN is best used on a separate VLAN/NIC of the firewall in combination
    > with VPN into the rest of the internal networks.
    >
    > The VPN authentication is best handled my RSA, safeword or biometric
    > systems.
    >
    > Even then its not safe since it only takes 15 min to decrypt the
    > 40-bits key. Maybe WEP2 128-bits key will solve that :-)
    >
    > /Jonas
    >
    > -----Original Message-----
    > From: Conal Darcy [mailto:hershat_private]
    > Sent: den 8 augusti 2001 04:29
    > To: Russell Handorf
    > Cc: VULN-DEVat_private; bugtraqat_private
    > Subject: Re: Wireless Lans give EVERYONE ACCESS
    >
    >
    > But can't you just set up a firewall to block any packets from the wireless
    > device that claim they're coming from the loopback device (127.0.0.1)?
    >
    > My experience with wireless devices is minimal so I may be wrong.
    >
    > Conal Darcy
    > hershat_private
    >
    > On Mon, 6 Aug 2001, Russell Handorf wrote:
    >
    > > Traditional authentication with wireless lan's consist of the
    > > following simplified procedure: 1). Wireless nic asks for an IP
    > > 2). Base station checks to see if the MAC Address can be passed.
    > > 3). If the authentication is successful then the DHCP server leases an IP
    > > to the Wireless nic.
    > >
    > > Today, I have circumvented the MAC Address authentication method, and
    > > had also sniffed successfully on a switched network with wireless
    > > stations on it without authentication into the network.
    > >
    > > For sniffing onto a wireless network without a registered MAC Address
    > > AND using WEP Encryption Methods: 1). Set the MAC Address of the card
    > > to 127.0.0.1 and the Netmask to 255.255.0.0 2). The card takes care of
    > > the rest. Just sit back and listen to the sounds of the network (NOTE:
    > > There will NOT be any DNS RESOLVING and quite possibly NO IP's will
    > > show up, only the computers MAC Addressed) (Double
    > > NOTE: All you need is another machines MAC Address to start a
    > > Man-in-the-Middle).
    > >
    > > For Getting an IP Address for Internet Connectivity:
    > > First Method requires that you have already sniffed on the network for
    > > an extended amount of time. Needed information is the IP Ranges,
    > > Netmask, and Gateway of the Lan. All of this can be acquired through
    > > HUNT. All you do is sift through the data generated, find an IP that
    > > hasn't sent any traffic take it and configure the other things (such
    > > as Netmask and Gateway manually).
    > >
    > > Second method requires you to have physical access to the lan. Take a
    > > hardwired nic and spoof it's MAC Address to that of the wireless nic's
    > > address. Run a command like 'pump,' swap cards and you should be on
    > > the network.
    > >
    > > The following instructions were executed on a Dell laptop with Redhat
    > > 7.0. The Ethernet card that was used is a Xircom 10/100 56k Combo
    > > thingy and the wireless lan card is a Lucent Technologies Wavelan Gold
    > > Turbo 128RC4.
    > >
    > > The base stations that these were tested on is a D-Link 1000AP,
    > > Orinoco AP-1000 Access Point, Orinoco COR-1100, and Cisco Aironet 350
    > > Series.
    > >
    > > Will someone else please confirm that this is successful?
    > >
    > >
    > > Thanks
    > >
    > > Russ
    > > ==================================
    > > Russell Handorf
    > > oooo, shiney ::Wanders after it::
    > >
    > > www.russells-world.com
    > > www.inside-aol.com
    > > www.terrorists.net
    > > www.bad-mother-fucker.org
    > > www.philly2600.net
    > >
    > > "Computer games don't affect kids, I mean if Pacman affected us as
    > > kids, we'd all be running around in darkened rooms, munching pills and
    > > listening to repetitive music." ~unknown
    > > ==================================
    > >
    >
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:45:11 PDT