Detecting 802.11 Discovery Apps 165
Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications.
Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly
popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.
"
Wrong approach (Score:4, Insightful)
Ok, so you've detected an intrusion... (Score:5, Insightful)
Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.
Don't route his packets (Score:4, Insightful)
how about totally passive eavesdropping? (Score:2, Insightful)
and when they're using info found with it it's too late, right?
better have it secure in the first place..
i got a system like this on my door, if it's busted, i've been robbed.
Re:securing (Score:3, Insightful)
Meanwhile I'll be a hypothetical man in a black hat at another table. I'll be watching you through two holes cut in a newspaper. When You've finished and switched off your PDA/notebook/whatever, I'll assume the MAC address which my PDA recorded you were using and start to upload illegal things through your DSL line. If you are using WEP, it'll take a hundred meg or so of your data to be transfered before I've got your key.
Don't rely on MAC address filtering or WEP, this stuff was poorly thought out to start with. Use IPSec or SSH tunnels if you can, or failing that firewall off your access point from the rest of your apartment network and treat it like any other public network - insecure.
Re:KIsmet saves the day (Score:2, Insightful)
mode by using a very high gain antenna combined
with some DSP to identify a possible listening
of a 802.11 receiver since there is no FCC regulation for a receiving antenna gain:)
Anyone else have enough to worry about? (Score:3, Insightful)
Re:Not necessarily possible? (Score:3, Insightful)
Not hardly!
A diode preferrentially passes DC current in one direction. This is RF current.
Normally you will get some isolation from the receiver's RF amplifier (if it has any).
Beyond that, you can use a device called a circulator - a magical waveguide/magnet thingie that allows RF at the appropriate frequeny to only propagate one way through it.
These things are *not* cheap, BTW, but are commonly used in repeater systems.