- check out the stylin' NEW Collusion haxor gear at Jinx Hackwear!!! -
- sign up on the Collusion Syndicate's infotainment discussion lists!!! -

Volume 23
May 2001

 HOME

 TechKnow
 Media Hack
 Parallax
 Reviews
 Fiction
 Humor
 Events
 Offsite

 Mission
 Responses
 Discussion
 #Collusion
 NEW!

 Submit a Story
 Collusioneers
 © & TM Info
 Contact Us

SETI@Home

Join the
Collusion
SETI Team!
Penetrating Wireless Networks
 by Mark Seiden

(be careful: it's just a matter of time before the first fatal accident involving use of wireless sniffers while driving... i have termed this "war driving".)

a useful tool for win2k is wildpackets "airopeek" wireless sniffer. it has just come out of beta, and the beta version only supports the cisco 340 family NIC, due to modified NDIS drivers.

with this running on my laptop while i drive i usually pick up an access point per mile or two, even at > 60 mph with no special antenna.

you can see the wireless frames including 802.11 beacons, which contain the name of the access point, the channel and whether WEP is in use, as well as all of the MAC addresses of talking interfaces, and a signal strength indication so you can figure out which way to go.

if you supply the wep keys, it will decrypt.

it's a useful sniffer ... but: it does not produce frames in tcpdump format. you need a separate utility for that.

also, it's EXPENSIVE: $1995 plus maintenance. aargh. (i got the beta for free...) (maybe they need more competition... from something free?)

regarding general sniffing of WLAN:

choice of antenna is important, by the way, if you want to do "war driving". (peter shipley recently mentioned he had a gps hooked up to a sniffer as well, so he records an location when the frames were received ...)

you don't need the SSID. it provides no value anyway (since you can use the ALL value). but you can see it in the 802.11 beacons, and with WEP it gives a clue to the organization owning the access point (without WEP their email and web surfing is a much better clue...).

it does not appear that MAC-based access control (which some access points have) is entirely useful, since you can change your MAC address on some interfaces to spoof that of some NIC you've seen successfully talking.

802.11b WEP provides little value (regardless of key length chosen) due to the reuse of the keystream, the lack of dynamic rekeying, and the possibility of known plaintext attacks. you have to record a few gigabytes of WEP data traffic to launch this attack, though, and i don't believe anyone has yet automated the exploit. (this has been known by members of the 802.11 committee for at least a year, more like two...)

(802.11e is trying to fix this, and cisco has announced an 802.1x implementation for the 350 card which seemingly complies with the compromise proposal in the 802.11 committee).

as a separate issue: some of the wireless access points ship with naive ideas about administration and maintenance.

(run nmap against an access point...)

the smc and addtron access points, which use code licensed from a little company in ontario, neesus, have an open service (a listener for a no longer available proprietary and undocumented administration utility) which does nothing (they say -- we shall see), a web server for configuration with an unchangeable user "default", and a default password (which is changeable, at least). there are also strings in the access point binary image which make me wonder about back doors -- neesus says they can't explain them and maybe they're from the development environment they use.

it's the wild west out there...