Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Detecting 802.11 Discovery Apps

Hemos posted more than 11 years ago | from the looking-at-the-backdoor dept.

Security 165

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "

cancel ×


Sorry! There are no comments related to the filter you selected.

Kickin' It Ole School (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4646264)

Plekhanov wrote a special pamphlet on the relation of anarchism to Socialism, entitled Anarchism and Socialism and published in German in 1894.

In treating this subject Plekhanov contrived completely to ignore the most urgent, burning, and politically most essential issue in the struggle against anarchism, viz., the relation of the revolution to the state, and the question of the state in general! Two sections of his pamphlet stand out: one of them is historical and literary, and contains valuable material on the history of the ideas of Stirner, Proudhon and others; the other is philistine, and contains a clumsy dissertation on the theme that an anarchist cannot be distinguished from a bandit.

A most amusing combination of subjects and most characteristic of Plekhanov's whole activity on the eve of the revolution and during the revolutionary period in Russia. Indeed, in the years 1905 to 1917, Plekhanov revealed himself as a semi-doctrinaire and semi-philistine who, in politics, trailed in the wake of the bourgeoisie.

We have seen how, in their controversy with the anarchists, Marx and Engels with the utmost thoroughness explained their views on the relation of revolution to the state. In 1891, in his foreword to Marx's Critique of the Gotha Program, Engels wrote that "we"--that is, Engels and Marx--"were at that time, hardly two years after the Hague Congress of the (First) International, engaged in the most violent struggle against Bakunin and his anarchists."

The anarchists had tried to claim the Paris Commune as their "own," so to say, as a corroboration of their doctrine; and they utterly failed to understand its lessons and Marx's analysis of these lessons. Anarchism has failed to give anything even approximating a true solution of the concrete political problems, viz., must the old state machine be smashed? And what should be put in its place?

But to speak of "Anarchism and Socialism" while completely evading the question of the state, and failing to take note of the whole development of Marxism before and after the Commune, meant inevitably slipping into opportunism. For what opportunism needs most of all is that the two questions just mentioned should not be raised at all. That in itself is a victory for opportunism.

Re:Kickin' It Ole School (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4646301)

j00 g07 frost pist d00d

is there redundancy... (3, Funny)

z-kungfu (255628) | more than 11 years ago | (#4646274) their detecting detectors?, or are the detectors detecting only getting detecteed once? anyway you put it that's a lot of detecting detectors and vise versa...

Re:is there redundancy... (2, Funny)

essell (446524) | more than 11 years ago | (#4646500)

Reminds me of The Big Hit, where they have the Trace Buster, and the Trace Buster Buster, and so on.

How soon until we see dectectors built into the discovery apps, to detect the dectector detectors? :)

Re:is there redundancy... (0)

Anonymous Coward | more than 11 years ago | (#4646575)

This cat and mouse game has been going on for quite some time with other RF technologies such as radar. For example I have a radar detector that not only detects VG-2 radar detector detection devices, but is also invisible to them.

Speaking Of Discovery: +1, Patriotic (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4646279)

Where in the world is John Katz? Has his employment with Slashdot been ended? Is he
in Afghanistan learning how to program the
famous Commodore-64?

People want to know.

Thanks in advance,

Re:Speaking Of Discovery: +1, Patriotic (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4646386)


-- JonKatz

Yeah... (4, Funny)

Anonymous Coward | more than 11 years ago | (#4646286)

My girlfriend gets pissed anytime I even mention backdoor penetration...

Re:Yeah... (4, Funny)

kalos (413924) | more than 11 years ago | (#4646322)

That's because you are flat out penetrating her network through the back door. Do some probing first man. You have to find out if there are any ports or services receptive to your connection before you attempt to dive right in and exploit any weaknesses.

Re:Yeah... (0)

kalos (413924) | more than 11 years ago | (#4646353)

Forgot to mention, if the remote host wishes to make a similar connection before allowing your packets through just close the connection and move on to a new (and hopefully more willing) host.

yeah, yeah, yeah... (-1, Offtopic)

Grape Smuggler (569838) | more than 11 years ago | (#4646397)

Hilarious. Some much humour could not be contained in one post, so spread it out over two.

Same fucking jokes all the time, thanks for contribution you ass-mullet.

Re:Yeah... (1)

mocktor (536122) | more than 11 years ago | (#4646765)

unless her backdoor is protected - in that case you'll need to spend days hanging around it sniffing for weak packets

Re:Yeah... (-1)

Grape Smuggler (569838) | more than 11 years ago | (#4646373)

That is why you have turned to your neighbor's dog. He never complains, does he? Lift up the tale, and BOINK! Rover is yelping like you are ripping out his intestines.

Re:Yeah... (0)

Anonymous Coward | more than 11 years ago | (#4646630)

Once, I told a tale. People listened! On the other hand, I can also tell a rat from a squirrel--by the tail.

So, are YOU the smuggler of grapes, or merely a fan of the grape-smuggling business?

Wierd... (4, Funny)

Eric_Cartman_South_P (594330) | more than 11 years ago | (#4646429)

...every time I mention it to her, I get no complaints.

Re:Wierd... (5, Funny)

_ph1ux_ (216706) | more than 11 years ago | (#4646582)

thats because you're not trying to come through the back door with an OC-192.

Re:Yeah... (4, Funny)

the way, what're you (591901) | more than 11 years ago | (#4646432)

My girlfriend gets pissed anytime I even mention backdoor penetration...

That's because she wants you to spend time with her, not your buddies.

Re:Yeah... (4, Funny)

geekd (14774) | more than 11 years ago | (#4646433)

Dave's relationship rule #27:

"When you find a woman who reacts positivly to the suggestion of 'backdoor penetration', seriously consider marriage"

rules to live by.

Wrong approach (4, Insightful)

bobthemuse (574400) | more than 11 years ago | (#4646310)

Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?

Re:Wrong approach (1)

Flabby Boohoo (606425) | more than 11 years ago | (#4646406)

That does not address the guy stealing all your bandwidth, only the guy trying to grab your data.

Don't route his packets (4, Insightful)

upper (373) | more than 11 years ago | (#4646466)

Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.

Re:Wrong approach (3, Informative)

g4dget (579145) | more than 11 years ago | (#4647047)

Sure it does: you use some form of VPN for clients on the wireless LAN. Only they can get routed anywhere.

Re:Wrong approach (0)

Anonymous Coward | more than 11 years ago | (#4647104)

Encryption is a good solution (unless you mean WEP) but is quite annoying to manage in a large environment. This tends to drive up operational costs which annoys management. There are several other simpler things that can be done to make the job of the attacker slightly more difficult, just 70% of people don't bother.

As for stopping bandwidth theft... again IPsec would take care of that problem because you can stop all non-certified hosts communicating successfully on your network.

all your base (-1, Offtopic)

dirvish (574948) | more than 11 years ago | (#4646311)

all your base station are belong to us

There's an easier way (3, Funny)

cscx (541332) | more than 11 years ago | (#4646321)

I just tend to look for the box on the wall plugged into an ethernet cable with the two antennae sticking out of it.

Love it. (4, Funny)

geekd (14774) | more than 11 years ago | (#4646343)

God damn, I love a good arms race.

Are you a coder? Need work? Get involved at the beginning of an arms race such as this one. Employment for years and years. Get involved early enough, and soon you will be an "expert".

Of course, there are more employent opportunities on the defensive side of the race, while the more fun side is the offense.

War Is Good: +1, Even More Patriotic (1, Funny)

Anonymous Coward | more than 11 years ago | (#4646385)

Rejoice and make war your life:

See Naqoyqatsi []

(Na-qoy-qatsi: (nah koy' kahtsee) N. From the Hopi Language.
1. A life of killing each other. 2. War as a way of life. 3.
(Interpreted) Civilized violence.

Arms Race (3, Funny)

RAMMS+EIN (578166) | more than 11 years ago | (#4646349)

OK, here's another arms race.

- With this anti-missile missile, we can intercept their missiles!
* But what do we do if they build an anti-anti-missile-missile missile?
- Simple, we build and anti-anti-anti-missile-missile-missile missile.
* Ow...I have a headache.

Re:Arms Race (0)

Anonymous Coward | more than 11 years ago | (#4646392)

Simple, fight the expected with the absurd. If your head hurts after that one imagine this arms race. <BR><BR>

- With this anti-missile missile, we can intercept their missiles!<BR>
* But what do we do if they build an anti-anti-missile-missile missile?<BR>
- Simple, we train monkeys, perhaps chimps to infultrate their command center and urinate on anti-anti-missle-missle control panels.<BR>
* They Build anti-monkey missle.
- We decide that perhaps two hippos strapped together would work better.<BR>

Now thats gunna cause headaches.

Re:Arms Race (2)

weird mehgny (549321) | more than 11 years ago | (#4646648)

for(;;) foo = !foo;

Physically positioning the intruder (5, Interesting)

jki (624756) | more than 11 years ago | (#4646352)

Your article was an interesting read. But what I would like to add is that it might be theoritically possible to physically position the intruder - especially, if you have made specific preparations for it (by placing a few extra access points as radars to do the triangle-mapping thing). You could use a tool like procycle [] to do it for example. Then just dispatch your favorite security guard Igor and Vasili and let them do the rest :) Here's a clip from the Procycle page:

Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000

What are the security guards going to do? (4, Interesting)

upper (373) | more than 11 years ago | (#4646594)

If the intruder is sitting behind the dumpster typing on his laptop, and it's the middle of the night, then your security guards have a number of courses of action that could be quite effective. But if he's in a busy starbucks, appearing to mind his own business, what can the security guard practically do?

I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.

I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.

Re:What are the security guards going to do? (0)

Anonymous Coward | more than 11 years ago | (#4646800)

or what would be more fun is fry his future offsprings off with the directional microwave blast!!!! Serves him right

Ok, so you've detected an intrusion... (5, Insightful)

lorcha (464930) | more than 11 years ago | (#4646355)

... now what? No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.

Re:Ok, so you've detected an intrusion... (2)

JUSTONEMORELATTE (584508) | more than 11 years ago | (#4646414)

Ok, so you've ID'd an unauth. access. You block the MAC addr at the access point.
The next problem is re-enabling a MAC Address when an authorized person either runs a sniffer for fun or generates a false-positive.

Re:Ok, so you've detected an intrusion... (1)

metalpet (557056) | more than 11 years ago | (#4646622)

blocking a MAC addr is a bit like blocking an IP. it makes you feel good but doesn't really protect anything.
even if the intruder is somehow unaware he can change his MAC address, he can still sniff your network traffic until the HD gets full.
of course, if all the intruder was doing is passive sniffing, you wouldn't be able to detect it to start with.

Re:Ok, so you've detected an intrusion... (1)

n08ody (162000) | more than 11 years ago | (#4646435)

or if they are a stupid script kiddie, you send him the "I love you virus".

Re:Ok, so you've detected an intrusion... (2, Informative)

ihowson (601821) | more than 11 years ago | (#4646478)

Exactly. "Sir, can I look inside your bag? We think you've got a laptop trying to invade our WLAN". Eat me.

There was a paper on how to track people scanning your WLAN by triangulating their location from several access points (here [] ), but that seems like an awful lot more effort than just securing the network in the first place.

It might be useful for statistical interest (go to the boss asking for money because X number of people have been trying to hack the WLAN). Package it up and install it on a machine somewhere.

Note that this won't pick up Kismet (not that anything will, short of scanning for moving RF emissions from a computer). But that's another point entirely.

Re:Ok, so you've detected an intrusion... (2, Interesting)

amlutias (24318) | more than 11 years ago | (#4646579)

well, if you're using HostAP [] , you could theoretically build up a dynamic defense that would mac filter and force disassociation (if an association was attempted) of any station detected to be scanning. you could do similar things with embedded devices and licensed firmware, i'm sure.

Re:Ok, so you've detected an intrusion... (1)

mocktor (536122) | more than 11 years ago | (#4646903)

except mac addresses can be changed on wifi cards just like normal ethernet cards - so all it takes is sniffing long enough to find a legit mac then ifconfig eth0 hw ether de:ad:be:ef:00

useful link: kismet []

Re:Ok, so you've detected an intrusion... (2)

Jacer (574383) | more than 11 years ago | (#4646525)

The finger-print he was referring to on the MAC and LLC sublayers of the Data link layer (osi model) are factory imprinted, so, it's useful evidence to prosecute, with new network adapters however, you can cange your mac address. so you'd have to apprehend the h4x0r before s/he escaped and were able to change their mac. so i would assume that you'd catch them in the act, or atleast filter traffic to not allow them onto your network.

Re:Ok, so you've detected an intrusion... (1)

amlutias (24318) | more than 11 years ago | (#4646564)

or, the h4x0r would be smart enough never to associate with his or her real MAC.

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4646618)

And even if they did it wouldn't matter. Do you realize how many resellers of wireless equipment there are? How many even keep such detailed records? How many refuse to sell equipment when offered cash?

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4646839)

The first 24 bits of a mac address is manufacturer specific. But spofing is quite easy. Ever setup one of thoes cable modem nat/router/switches thing ma bobes. To spoof a mac on that thing was as simple as a click of a button.

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4646905)

What does this have to do with the post you responded to? (and of course you can change the MAC of just about network gear that exists)

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4647172)

technically you can't. The Mac address are burned in to a prom on the board. But you can spoof it. I know its just a technicality but you brought it up

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4646588)

all nic's allow you to change the mac's anymore since some of the origional set is starting to be reused.

Not to mention a hacker would never use his real mac since that's traceable to a reciept.

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4646956)

Not to mention a hacker would never use his real mac since that's traceable to a reciept.

A lot of people seem to think so -- however, the reality is that this is _extremely_ unlikely to produce any practical leads.

Re:Ok, so you've detected an intrusion... (0)

Anonymous Coward | more than 11 years ago | (#4646664)

No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

That's where the sniper rifle comes in.

No, I don't like people hacking my network.

Not necessarily possible? (4, Interesting)

Anonymous Coward | more than 11 years ago | (#4646384)

Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...

Re:Not necessarily possible? (1)

mobilinux (160814) | more than 11 years ago | (#4646469)

What about a high gain receive antenna hooked
up to a highly sensitive RF receiver trying to
identify local oscilltor emissions out of the
listening client card. In simple terms, what
about a detector similar to "radar detector detector"? Also any RF_MON mode client card
is going to be actively scanning the different
channels(leading to differing oscilltor frequencies). If you know your legitimate clients are not operating in that channel, and if you have a really focused antenna, you could even catch the intruder by moving the antenna for max signal strength of the oscillator emission.

Re:Not necessarily possible? (1)

mobilinux (160814) | more than 11 years ago | (#4646531)

I forgot to mention that once you've identified
a rogue receiver, you could then stop the transmission in the particular transmission or
just transmit false data. It would be even better
if you could start switching the WEP keys in sync
with the legitimate clients (or) encrypt the traffic on the fly. If not you can also think
of sending a shutdown signal to legitimate clients
and then zap a high energy RF pulse to the direction of maximum signal strength to burn out
the frontend of the rogue client, it would then
become easy to spot the intruder visually with
the smoking card!. Then continue regular transmission once the offending oscillator signal
is absent.

Re:Not necessarily possible? (1)

mobilinux (160814) | more than 11 years ago | (#4646584)

Actually the zapping could be made much
easier if you could use additional high
gain receivers(or switch a single receiver
between multiple antennas) to locate the
intruder by triangulation and immediately
activate a focussed beam of high energy RF
(high gain electronically controlled phased
array Antenna?) to cripple the receiver
without impairing ongoing sessions with
other authorized clients.

Re:Not necessarily possible? (0)

Anonymous Coward | more than 11 years ago | (#4646592)

Your a fucking troll idiot.
I will however placate you and say this:

If its passive it will not be picked up by your scheme, you are plain wrong.

go fucking die microsoft wenie.

Re:Not necessarily possible? (1)

mobilinux (160814) | more than 11 years ago | (#4647027)

If you are thinking of using an yet another el-cheapo card as a detector for the local oscillator emission it may not work. If you
ever knew about how a receiver works(direct
conversion,superhet etc) you will understand
what I mean. You do need dedicated h/w for
doing it. Also you should remember there is
no limit on the receiver antenna gain by FCC.
With the current advances in DSP, RF device
technologies, electronically controlled phased array antennas and liquid nitrogen cooled rf lna's, nothing is impossible. I could build you
one, if you could pay me $$$$$ even out of off
the shelf components!.

Re:Not necessarily possible? (1)

Lumpy (12016) | more than 11 years ago | (#4647002)

pretty close... in fact if you are using an external antenna to snoop you can easily use a simple diode to eliminate any outgoing signals or even better, use a recieve preamp... no reverse signals going out there.. and no matter what MoJo you try you are NOT going to detect a reciever.

if I sniff long enough, I can crack your encryption and cause utter hell the very first time I transmit.

how about instead of trying to play spy, the WIFI owners make it secure? Nahhh, makes too much sense.

Re:Not necessarily possible? (1)

wirelessbuzzers (552513) | more than 11 years ago | (#4647171)

if I sniff long enough, I can crack your encryption...

how about instead of trying to play spy, the WIFI owners make it secure? Nahhh, makes too much sense.

You answered your own question. Hard to make it secure if they can crack your encryption, say with AirSnort. The protocol needs better encryption on it, simple as that.

in other news (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4646411)

NEW YORK -- Michael Capellas quit Monday as the No. 2 executive at Hewlett-Packard Co. just hours after a newspaper reported he is a leading candidate to take over troubled WorldCom Inc.

The news sent shares of the top printer maker and No. 2 personal computer company down sharply.

Newspapers, including the Wall Street Journal, on Monday reported that Capellas was the top candidate to take over John Sidgmore's chief executive officer job at WorldCom Inc. , which has filed for bankruptcy.

WorldCom, the telecommunications giant that has racked up more than $9 billion in accounting problems, declined to comment. Sidgmore had been looking for a replacement since Sept. 10, when he said he would step down.

Capellas will also leave the company's board of directors, HP said, and the president spot will not be refilled.

While some investors and analysts said Capellas' departure had been expected, one analyst said his leaving was a negative for the stock because he had been in charge of operations and was helping to drive revenue growth to HP's promised targets.

The announcement from HP pushed its shares down by more than 10 percent in morning trading, making it both the most actively traded stock and the biggest percentage loser on the New York Stock Exchange.

An HP spokeswoman declined to comment on whether Capellas was headed for WorldCom. She said the move is effective December 1.

Capellas, who was previously chief executive officer of Compaq, has reported to Carly Fiorina, HP's Chief Executive Officer since HP bought Compaq in May after an extended, messy battle with HP shareholders.

Fiorina said Capellas' departure came as the company meets its targets for integrating the two companies. For instance, in order to win shareholder approval for the deal, the companies vowed to meet targets such as cutting 15,000 jobs this year.

Investors and analysts said that Capellas' departure was not unexpected. Capellas had been promoted to Chief Executive Officer at Compaq in 1999 and had been welcomed by investors who viewed him as a competent manager, one investor said.

"He did have a period of time of being No. 1 and calling the shots at Compaq," said John Rutledge, a portfolio manager at Evergreen Technology who owns HP shares. "I think for anybody who is capable and like that, moving back into the No. 2 shot after the merger, he probably was willing to look at opportunities."

The move could indicate that Hewlett-Packard is going to report strong quarterly results next week, one analyst said.

Detecting 802.11 Discovery Apps (1)

SEWilco (27983) | more than 11 years ago | (#4646415)

Don't we have to wait for Discovery to be launched before we can detect its applications?

oh oh... (2, Funny)

citroidSD (517889) | more than 11 years ago | (#4646424)

This whitepaper is published in PDF format, so it must be serious! Unlike those HTML white papers written by script kiddies....

HTML mirror (for us script kiddies) (1)

RobertB-DC (622190) | more than 11 years ago | (#4646829)

In case you don't happen to have a loaded Acrobat (loaded acrobat? don't let him on the high wire!), or if you can't bear to wait for Adobe's disclaimers to load, here's a quick-n-dirty HTML mirror [] of the .pdf file. Ugly as sin: did it by pasting the text into Notetab [] and using "convert to HTML".

Yes, it's on Tripod, so beware the popups and banners. Whaddya expect from us skr1pt k1dd13z?

A victory for the RIAA (0, Flamebait)

Istealmymusic (573079) | more than 11 years ago | (#4646436)

This 802.11 discovery application detection is clearly a victory for the RIAA, MPAA, BSA, and associated subsidies such as AOL/Time-Warner and Microsoft. As all MP3 goonies know, illict data is often served from hacked sites. Wireless at 11Mbps is elusive to the warez community, and by detecting this it may be possible for anti-warez busters to detect warez d00ds on the spot, decloaking their IP-based anonymity due to 802.11's cellular IP range.

securing (2)

_ph1ux_ (216706) | more than 11 years ago | (#4646447)

so how do you actually secure the WiFi network.

Lets say I have DSL at my 5th floor apt. in downtown SF - i put a WiFi antennea up so I can roam to the cafe across the street - how do i keep any others off my network? cheaply?

Re:securing (2)

sluggie (85265) | more than 11 years ago | (#4646476)

only allow the MACs of your PDA/notebook/cellphone to connect and get an ip...

sorry for the one liner, but pulling this off is very OS dependent, thus out of the scope of this posting.

Re:securing (2, Informative)

rlangis (534366) | more than 11 years ago | (#4646501)

Not really. My RG-1000 AP has this ability in the firmware. Speaking of which, I really should enable that... ;)

Re:securing (3, Insightful)

spinlocked (462072) | more than 11 years ago | (#4646666)

...only allow the MACs of your PDA...

Meanwhile I'll be a hypothetical man in a black hat at another table. I'll be watching you through two holes cut in a newspaper. When You've finished and switched off your PDA/notebook/whatever, I'll assume the MAC address which my PDA recorded you were using and start to upload illegal things through your DSL line. If you are using WEP, it'll take a hundred meg or so of your data to be transfered before I've got your key.

Don't rely on MAC address filtering or WEP, this stuff was poorly thought out to start with. Use IPSec or SSH tunnels if you can, or failing that firewall off your access point from the rest of your apartment network and treat it like any other public network - insecure.

Re:securing (2)

sluggie (85265) | more than 11 years ago | (#4646820)

while your points are really valid here, I was talkin about keepin some kids from using your bandwidth, not stopping your favourite spy agency... ;)

Re:securing (1)

quintessenceofdust (604895) | more than 11 years ago | (#4646768)

MAC filtering doesn't actually work. On cheap APs, you can have multiple *identical MACs. There is no state table for MAC addresses on those APs, it's simply a variable.

Re:securing (1)

mobilinux (160814) | more than 11 years ago | (#4646606)

you could use mac address filtering and all other
provisions of security(such as 128Bit WEP with
shared authentication only) and use IPSEC to
encrypt the entire traffic. If not you could
just create an ssh tunnel. Time to get a linux
tablet PC?

Re:securing (1)

spoirier (624949) | more than 11 years ago | (#4646729)

Don't forget to change the standard SSID to something not easily guessed and turn off SSID broadcast. Use 128bit WEP as well. You will have to tell your PC what the SSID and WEP codes are for this to work but it should keep the average hacker out of your system. You should probably change your WEP code periodically just in case someone does manage to detect your setup and crack the WEP code.

Yeah, but... (1)

BrunoC (540199) | more than 11 years ago | (#4646453)

what about forged MAC Addresses? Sure, it's more than the average Wardriver would do to get access, but changing MAC's isn't _that_ hard. But this is a neat white paper though.

Re:Yeah, but... (1)

quintessenceofdust (604895) | more than 11 years ago | (#4646585)

Not only is it not difficult to forge your MAC, most (low-end) APs, with MAC filtering turned on, won't notice if you have two of the same MACs on at the same time. We've tested this, with some success. One would think it'd cause an ARP storm however...

how about totally passive eavesdropping? (2, Insightful)

gl4ss (559668) | more than 11 years ago | (#4646473)

can't detect that, right?

and when they're using info found with it it's too late, right?

better have it secure in the first place..
i got a system like this on my door, if it's busted, i've been robbed.

Ok, so you have detected an intrusion.... (3, Funny)

Anonymous Coward | more than 11 years ago | (#4646508)

What do you do now?
Go outside and kick ass on the guy with the laptop?

You could sneak up behind him and strangle him with all that extra cat-5 you have lying around now.

EMP (1, Funny)

zonker (1158) | more than 11 years ago | (#4646911)

well u could remove the threat completely with the help of a three letter friend.

AP Radar (5, Informative)

dgp (11045) | more than 11 years ago | (#4646539)

A new style of network discovery is available in the linux 2.5 kernel and in 2.4.20. Jean Tourrilhes' []
Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.

There is a GTK+ application I have written called AP Radar [] that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.

The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.

Re:AP Radar (2)

dgp (11045) | more than 11 years ago | (#4646735)

A earlier post talking about triangulation the location of wireless users. Note that AP Radar does not do spacial positioning of an access point. The 'Radar' part of the name is just a name :)

Detecting apps, use ps command (1)

maxwells_deamon (221474) | more than 11 years ago | (#4646593)


ps -ef | grep -i nets...

to determine if you are running one of these applications

Re:Detecting apps, use ps command (0)

Anonymous Coward | more than 11 years ago | (#4646706)


Hackers and Slackers (-1, Troll)

First_In_Hell (549585) | more than 11 years ago | (#4646655)

What a waste! Once again companies are going to spend millions policing and monitoring this stuff, and quite frankly, what does it have to do with their core business? Look at Anti-Virus software . . . that business is huge if you do not have some sort of client running . . you are DEAD. Our corporate virus server gets 50+ viruses a day (all from marketing and sales' e-mails)

At my company, we spent thousands alone to monitor web access. You know what happened? We just ended up firing people we already knew did nothing anyway (some interesting reading in those logs though).

Then the jackasses downloaded some patch to get by it. Then the IT department (us) had to come up with a fix for that, and so on. It just ended up wasting time when no real work is geting done.

Sorry to go off on a tangent, but it looks like this is another case of stupid ass people (being it hackers or slackers) eating up business' time and momey when it could be spent doing something real.

By next year there will be devices on the market just for sniffing out these intruders, just like Macafee charges $25,000 for their firewall solution.

Re:Hackers and Slackers (1)

micahmicahmicah (600841) | more than 11 years ago | (#4646684)

I would recommend your company invest in Intel's LANDESK Suite, makes it very easy to monitor who is running what. You can have it build reports, or sit and watch suspicious users. It is also a great utility that has saved me lots of waiting for elevators and running up and down flights of stairs. I must have gained at least 10 pounds thanks to LANDESK!

Re:Hackers and Slackers (0)

First_In_Hell (549585) | more than 11 years ago | (#4646699)

What type of cost does this incur? Is it expensive to implement? I always notice that these companies make you pay through the nose for applications like these.

Detection is a reality now, but defense? (3, Interesting)

Adam9 (93947) | more than 11 years ago | (#4646674)

I did some looking around on Google and found this paper [] , which briefly covers the subject by suggesting a "security mesh" to prevent unauthorized access to wlans. Anyone with some insight in how [cost] effective this may be, or if there are any other solutions out there?

hopeless (3, Interesting)

metalpet (557056) | more than 11 years ago | (#4646693)

Any WEP based network can be compromised by passively sniffing enough packets. After that initial work, the network is entirely open. At that point, the attacker cannot be detected by any means, yet he can sniff pretty much anything he wants.

That alone is a very good reason to NOT plug a wireless access point to an internal network. If you don't have some sort of firewall between your access point and your internal network, you might be underqualified for your job.

Given that, yes, you can detect freeloaders that are using your access point to surf the net. You cannot really block them, as MAC addys are easy to change. If that's really an issue, have the wireless network connected to nothing BUT your firewall, then force any wireless user to authenticate through the firewall you wisely installed. From there, it's a lot easier to monitor what happens to the firewall.

I guess the detection technique is mostly useful for statistical purposes, as previous posts have mentioned.

Security for WLAN's - Smack your closest vendor (5, Informative)

jjackson (83961) | more than 11 years ago | (#4646748)

I am currently in an email conversation with LinkSys over the topic of securing a small WLAN that I set up to link my home network to my office (in a house across the street) and ran into a real problem with their WAP11 v2.2 AP's.

With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.

After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:

Dear Mr. Joshua,

Thank you for contacting Linksys Customer Support.

With regard to the problem, can you provide the complete set up of your
network? About WEP, it is advised that you disable WEP keys in your access
point to avoid possible degradation of wireless transmission. The encryption
causes your network to slow down in terms of wireless transmission because
prior to transmission, the data are encrypted and decrypted at the receiving
end. Hence, the result is to slow the efficiency of your data transfer. For
a small network where there aren't much important files to be transferred,
it is advised that WEP keys are disabled.

About the firmware, the access point should have no problem connecting to
one another although they have different firmwares.

Have a nice day!


Glythel Ria M. Penus
Product Support Representative

If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.

So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.

Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?

This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.

KIsmet saves the day (4, Informative)

Phork (74706) | more than 11 years ago | (#4646785)

The key point of this paper is that you cant detect passive monitoring(RFMON mode), so tools like kismet which usse it are not detectable. The only way to mess with these types of tools is to send out falsified data to confuse that scanner, but this will still not let you detect them.

Re:KIsmet saves the day (2, Insightful)

mobilinux (160814) | more than 11 years ago | (#4646880)

It is still possible to detect a client in RFMON
mode by using a very high gain antenna combined
with some DSP to identify a possible listening
of a 802.11 receiver since there is no FCC regulation for a receiving antenna gain:)

Re:KIsmet saves the day (2)

suwain_2 (260792) | more than 11 years ago | (#4646952)

This might "work," but it seems rather farfetched... Isn't there a huge potential for interference as well? And it seems ridiculous to have people going around with massive high-gain (which usually, though not necessarily, infers a highly-directional antenna) antennas trying to find people sniffing their networks. Unless you have *really* secret data, this is probably overkill; if I was going to do this, I'd just run fiber... :)

Re:KIsmet saves the day (2)

Phork (74706) | more than 11 years ago | (#4646979)

Please show me an omni directional antenna with high gain(> 20Db). I would like to purchase one.

Re:KIsmet saves the day (3, Informative)

suwain_2 (260792) | more than 11 years ago | (#4647053)

That was sort of my point -- omnis don't have the gain of a directional antenna. You can get a fairly high-gain omni (11 dBi+), but they're things like stacked collinear, and I'm not sure if anyone makes anything of that sort for the 2.4 GHz (802.11b) band. (I suppose it'd be pretty short, though.) Anyway, sorry if I wasn't too clear in my original post. If you find one, I'll buy a few too. ;)

Re:KIsmet saves the day (1)

mobilinux (160814) | more than 11 years ago | (#4647109)

I am in the process of building one (stacked and phased collinear antenna) using inexpensive
materials, for an would be secure community
network. If you are interested let me know.

Re:KIsmet saves the day (2)

suwain_2 (260792) | more than 11 years ago | (#4647176)

This is a neat idea, although I can't honestly say I'd have any use for it -- I don't use any wireless products. (Although I do have a long-standing obsession with starting a wireless ISP...) If you happen to put up a webpage on it or something, I'd love it if you'd send me a link. (But don't make it just for me or anything.) Is it receive-only?

Re:KIsmet saves the day (1)

mobilinux (160814) | more than 11 years ago | (#4647061)

You don't really need an omni directional antenna,
you could always use a switched parabolic antenna,
or even a rotating one. We are talking about ability to identify a potential listener and not
talking about some rf glitch caused by a solar flare!.

Re:KIsmet saves the day (3, Informative)

Phork (74706) | more than 11 years ago | (#4647030)

You're totally right on this, and theoretically it would work. A technique similar to this was used in some place(im thinking it was the UK) to detect unliscensed shortwave receivers. Basically how it worked was they went around with RDF(radio direction finding gear) tuned to common IFs(intermediate frequencies, if you dont know what this means, read a tutorial on heterodyne). Im not sure what kind of demodulating technique is used in 802.11b cards, so that technique may or may not work. I think im going to have to investigate this.

Re:KIsmet saves the day (0)

Anonymous Coward | more than 11 years ago | (#4646890)

And no one in their right mind would send out falsified data. Not only would this degrade the performance of the network but it would also be ineffective as a smoke screen against an intelligent attacker.

Re:KIsmet saves the day (2)

Phork (74706) | more than 11 years ago | (#4646965)

THere was an article on slashdot a few months ago about an application called fakeAP, which used the host_ap mode driver to send out essid broadcast packets to just fill up logs in wireless scanners. ALso you could just do things like send out one fake dhcp offer per second, this would not severely degrade network traffic, but would confuse kismet. Or even one fake udp packet per second would do the trick, or a few fake llc broadcast.

Re:KIsmet saves the day (1)

zenst (558964) | more than 11 years ago | (#4647177)

Indeed or they would be prosecuting people with microwaves and flourescant lights for having DoS tools.

My Whitepaper (5, Funny)

suwain_2 (260792) | more than 11 years ago | (#4646881)

That's funny, I'm working on a similar whitepaper: Detecting 802.11 Detector Detectors, to detect people trying to detect people trying to detect 802.11 networks. Including is some sample code to detect the detector detectors, but it seems to get into a nasty infinite loop, and I can't figure out why.

Anyone else have enough to worry about? (3, Insightful)

indiigo (121714) | more than 11 years ago | (#4646886)

Looking at wireless over the last two years is just mind boggling. There's no way to stay up to date on the latest security hacks and updates and firmware and make sure your mac addresses are in a database and this and that. It hardly seems worth the effort. Hell it's easier just bringing a spindle of cat6 and wiring up 1000bt or better around with you than deal with the networking mess.

[preaching] share the bandwidth! (5, Interesting)

mocktor (536122) | more than 11 years ago | (#4647024)

in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just [] stick to secure (ssh, https) protocols and share [] it?

Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>