Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Detecting 802.11 Discovery Apps 165

Joshua Wright writes "I have written a white paper on detecting 802.11 Wireless LAN Network Discovery applications. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic. "
This discussion has been archived. No new comments can be posted.

Detecting 802.11 Discovery Apps

Comments Filter:
  • by z-kungfu ( 255628 ) on Monday November 11, 2002 @06:50PM (#4646274)
    ...in their detecting detectors?, or are the detectors detecting only getting detecteed once? anyway you put it that's a lot of detecting detectors and vise versa...
  • Yeah... (Score:4, Funny)

    by Anonymous Coward on Monday November 11, 2002 @06:51PM (#4646286)
    My girlfriend gets pissed anytime I even mention backdoor penetration...
  • Wrong approach (Score:4, Insightful)

    by bobthemuse ( 574400 ) on Monday November 11, 2002 @06:53PM (#4646310)
    Any 802.xx network near a public area is going to be stumbled upon eventually... why not encrypt your traffic rather then spending them time detecting some geek walking buy with an 802.xx handheld running out of his bag?
    • That does not address the guy stealing all your bandwidth, only the guy trying to grab your data.
      • by upper ( 373 ) on Monday November 11, 2002 @07:14PM (#4646466)
        Put your wireless network segment behind a firewall which proxies encrypted SSH connections and passes nothing else.
      • Re:Wrong approach (Score:3, Informative)

        by g4dget ( 579145 )
        Sure it does: you use some form of VPN for clients on the wireless LAN. Only they can get routed anywhere.
      • Re:Wrong approach (Score:3, Interesting)

        by kwerle ( 39371 )
        Most of the geeks that fall into the "dubious social behavior" group fit into the jerk catagory, not the asshole catagory. My wireless is outside my firewall, and I VPN my connection. This is great because it also means that I can go wireless (or even cabled) anywhere and not worry about someone sniffing my traffic.

        If some geek passes by and wants to use some bandwidth, that's great. If it starts to happen a lot, I'll try to find them and work something out. With some luck, this happens 2-4 times, and we all agree to pitch in to get more bandwidth!
  • by cscx ( 541332 ) on Monday November 11, 2002 @06:54PM (#4646321) Homepage
    I just tend to look for the box on the wall plugged into an ethernet cable with the two antennae sticking out of it.
  • Love it. (Score:4, Funny)

    by geekd ( 14774 ) on Monday November 11, 2002 @06:56PM (#4646343) Homepage
    God damn, I love a good arms race.

    Are you a coder? Need work? Get involved at the beginning of an arms race such as this one. Employment for years and years. Get involved early enough, and soon you will be an "expert".

    Of course, there are more employent opportunities on the defensive side of the race, while the more fun side is the offense.

    • by Anonymous Coward
      Rejoice and make war your life:

      See Naqoyqatsi [naqoy.com]

      (Na-qoy-qatsi: (nah koy' kahtsee) N. From the Hopi Language.
      1. A life of killing each other. 2. War as a way of life. 3.
      (Interpreted) Civilized violence.
  • Arms Race (Score:3, Funny)

    by RAMMS+EIN ( 578166 ) on Monday November 11, 2002 @06:57PM (#4646349) Homepage Journal
    OK, here's another arms race.

    - With this anti-missile missile, we can intercept their missiles!
    * But what do we do if they build an anti-anti-missile-missile missile?
    - Simple, we build and anti-anti-anti-missile-missile-missile missile.
    * Ow...I have a headache.
  • by jki ( 624756 ) on Monday November 11, 2002 @06:57PM (#4646352) Homepage
    Your article was an interesting read. But what I would like to add is that it might be theoritically possible to physically position the intruder - especially, if you have made specific preparations for it (by placing a few extra access points as radars to do the triangle-mapping thing). You could use a tool like procycle [wlanbit.com] to do it for example. Then just dispatch your favorite security guard Igor and Vasili and let them do the rest :) Here's a clip from the Procycle page:

    Features: Measuring locations, Mapping, Data transfer tests, Producing quality survey reports, Graph. Requirements, Nokia 802.11b WLAN PCMCIA card, Windows 98/Me/NT/2000

    • by upper ( 373 ) on Monday November 11, 2002 @07:33PM (#4646594)
      If the intruder is sitting behind the dumpster typing on his laptop, and it's the middle of the night, then your security guards have a number of courses of action that could be quite effective. But if he's in a busy starbucks, appearing to mind his own business, what can the security guard practically do?

      I'd guess that you'd have enough data show probable cause and get a warrant, but the latency is a bit long.

      I do agree that spatially locating the intruder would be useful. At the very least, it's another way of detecting (most) intruders. And if you really want to use location info to do the vigilante thing, maybe you could fry his wifi card with a few hundred watts of microwaves in a directed beam.

    • Perhaps some smart lad could come up with a way to filter out connection attempts being made from outside a physical perimeter?

      Ahhh....imagine the urban legends;

      The connection attempt...it's coming from inside the house!!
  • by lorcha ( 464930 ) on Monday November 11, 2002 @06:57PM (#4646355)
    ... now what? No, seriously, what do you do once you've detected unauthorized access short of looking out your window for a guy with a Pringles can?

    Normally, when you detect an intrusion, you have an IP address, you find its owner, and then try to determine who was using that address at the time of detection, and hopefully prosecute. It just seems to me that with 802.11, your best bet is to secure the thing rather than trying to figure out whose PDA inside a backpack is polling your network.

    • Ok, so you've ID'd an unauth. access. You block the MAC addr at the access point.
      The next problem is re-enabling a MAC Address when an authorized person either runs a sniffer for fun or generates a false-positive.
      • blocking a MAC addr is a bit like blocking an IP. it makes you feel good but doesn't really protect anything.
        even if the intruder is somehow unaware he can change his MAC address, he can still sniff your network traffic until the HD gets full.
        of course, if all the intruder was doing is passive sniffing, you wouldn't be able to detect it to start with.
    • or if they are a stupid script kiddie, you send him the "I love you virus".
    • Exactly. "Sir, can I look inside your bag? We think you've got a laptop trying to invade our WLAN". Eat me.

      There was a paper on how to track people scanning your WLAN by triangulating their location from several access points (here [interlinknetworks.com]), but that seems like an awful lot more effort than just securing the network in the first place.

      It might be useful for statistical interest (go to the boss asking for money because X number of people have been trying to hack the WLAN). Package it up and install it on a machine somewhere.

      Note that this won't pick up Kismet (not that anything will, short of scanning for moving RF emissions from a computer). But that's another point entirely.

    • The finger-print he was referring to on the MAC and LLC sublayers of the Data link layer (osi model) are factory imprinted, so, it's useful evidence to prosecute, with new network adapters however, you can cange your mac address. so you'd have to apprehend the h4x0r before s/he escaped and were able to change their mac. so i would assume that you'd catch them in the act, or atleast filter traffic to not allow them onto your network.
    • Mirror Hotmail and Yahoo's login pages on a local server and collect passwords. Write 'creative' emails on their behalf to their friends and parents and (potential) employers.

      Rewrite stock quotes on the fly...

      Write a perl script that will rewrite outgoing POP emails
      (s/Regards,/I love you,/g is an old favorite of mine...)

      I figure if someone uses my network without asking for permission, I have the right to make them look like an idiot.

      • Good point. Don't trust data that's coming over some random network. If you want to do anything important, SSH to your home computer and do it there, so capricious net admins can't screw with you :)
    • Slingshot (or wristrocket depending on where you grew up)! Think about it. The person associated to your network has to be within 100 meters. Realistically, more like 35-50 meters if there's a wall / window / thin sheet of newsprint between him and the AP. Paint balls, small water balloons, or .50 caliber ball berings aimed at that delicate LCD screen can make your network truly safe!

      The threat of unauthorized use of an AP is seriously over rated. Sure WEP can be cracked. But, Airsnort needs between 100 megs and 1 gig of honest data to crack 128-bit WEP. How long is it going to take you to gain that much data at 11 megabits per second? My ever so rough math says that to get a gig of data at 1.375 megabyes per sec (that is the equivilent of 11 megabits right? if not the point is still valid, even if the math is off) says you need about 12 minutes of just data. Try staying in range of an AP that long at 35 mph.

      Remember, most of that traffic isn't data, it's beacon frames. Just the AP announcing itself to the world. 128-bit WEP isn't secure enough to do business over. It's not even secure enough to call it encryption. It will, however, keep the average war driver off your network. I usually figure that if they've made an effort to secure the network, I should leave the network alone.

      Now, for all those AP's that register as F (factory default), well...those people were asking to have their MAC address added to their AP's banned list.......

  • by Anonymous Coward on Monday November 11, 2002 @07:01PM (#4646384)
    Uh, as I understand it (at least with the Cisco/Aironet clients), when you use netstumbler/kismet/whatever, the client card is in RF_MON mode, and is entirely passive. I don't know what signs of entry you're gonna see from a passive (listen-only) radio, but...
    • What about a high gain receive antenna hooked
      up to a highly sensitive RF receiver trying to
      identify local oscilltor emissions out of the
      listening client card. In simple terms, what
      about a detector similar to "radar detector detector"? Also any RF_MON mode client card
      is going to be actively scanning the different
      channels(leading to differing oscilltor frequencies). If you know your legitimate clients are not operating in that channel, and if you have a really focused antenna, you could even catch the intruder by moving the antenna for max signal strength of the oscillator emission.
      • I forgot to mention that once you've identified
        a rogue receiver, you could then stop the transmission in the particular transmission or
        just transmit false data. It would be even better
        if you could start switching the WEP keys in sync
        with the legitimate clients (or) encrypt the traffic on the fly. If not you can also think
        of sending a shutdown signal to legitimate clients
        and then zap a high energy RF pulse to the direction of maximum signal strength to burn out
        the frontend of the rogue client, it would then
        become easy to spot the intruder visually with
        the smoking card!. Then continue regular transmission once the offending oscillator signal
        is absent.
        • Actually the zapping could be made much
          easier if you could use additional high
          gain receivers(or switch a single receiver
          between multiple antennas) to locate the
          intruder by triangulation and immediately
          activate a focussed beam of high energy RF
          (high gain electronically controlled phased
          array Antenna?) to cripple the receiver
          without impairing ongoing sessions with
          other authorized clients.
    • pretty close... in fact if you are using an external antenna to snoop you can easily use a simple diode to eliminate any outgoing signals or even better, use a recieve preamp... no reverse signals going out there.. and no matter what MoJo you try you are NOT going to detect a reciever.

      if I sniff long enough, I can crack your encryption and cause utter hell the very first time I transmit.

      how about instead of trying to play spy, the WIFI owners make it secure? Nahhh, makes too much sense.
      • if I sniff long enough, I can crack your encryption...

        how about instead of trying to play spy, the WIFI owners make it secure? Nahhh, makes too much sense.

        You answered your own question. Hard to make it secure if they can crack your encryption, say with AirSnort. The protocol needs better encryption on it, simple as that.
      • Mu

        Not hardly!

        A diode preferrentially passes DC current in one direction. This is RF current.

        Normally you will get some isolation from the receiver's RF amplifier (if it has any).

        Beyond that, you can use a device called a circulator - a magical waveguide/magnet thingie that allows RF at the appropriate frequeny to only propagate one way through it.

        These things are *not* cheap, BTW, but are commonly used in repeater systems.
        • by Lumpy ( 12016 ) on Monday November 11, 2002 @09:46PM (#4647491) Homepage
          it's commonly called a can, and yes repeaters use them. 900mhz and 1.2Ghz cans can be bought for peanuts at hamfests, while I wonder if a 2.4ghz can is available let alone possible to tune with anything but a full service rf shop.

          the point is that with a recieve preamp and a diode I can reduce the exciter's output to the point that you would either need a 900db gain antenna or be in my back pocket to detect it.

          I used to work at a Radar detector plant that designed radar detectors that were guarenteed not detectable. 90% of the work is making the thing RF tight in the first place... most consumer grade equipment is so crappily made they leak like wet paper bags full of melting jello.

          anyone interested in attacking an access point in such a manner will do it undetected until they strike, no matter what measures the target takes..

          It's simple spy vs spy stuff... been hashed over for decades....
          • Actually, a "can" is not a circulator, but rather a high queue resonant cavity. They are very different things. A circulator is normally used for two purposes:
            1) keep energy received by the antenna from getting into the final amplifier and generating spurious products (which is why they are *required* at most shared sites)
            2) Protecting the transmitter from antenna failure, since the third terminal on the circulator is typically hooked to a dummy load.

            Can's are used to create narrow band filters. On a typical FM repeater, they are used to duplex the transmitter and receiver to the same antenna (and hence they form a "duplexor"). Additional cans may be used to further reduce spurious emissions, and to protect the receiver from known strong out-of-band signals.

            I assume by exciter you really mean local oscillator. And as I mentioned, the receive amp will in fact reduce the exciter output. The diode... well, why the heck would you put a diode in the circuit? It doesn't make any sense.

            LO leakage is a well known problem with any superheterodyne receiver design. There are a number of methods to solve it (including appropriate mixers, pre-amps, trapping out the RF frequency, etc). I have *never* heard of anyone suggest using a diode for that purpose. It just does not compute.

            The real problem with the approach of detecting the LO is that in any but the worst designed receiver, it will be way down in output power compared to the transmitter. Sniffing for LO's is thus inherently disadvantaged compared to sniffing for transmitters.
          • It's not a "can" (Score:3, Informative)

            by Andy Dodd ( 701 )
            It's a duplexer. Although the main components of a duplexer (resonant cavities, as another poster mentioned) are essentially large thick-walled cans. (Except supercheap poor-man's-duplexers made from coffee cans - They exist but they are pretty high-loss)

            These are usable in amateur applications because of the fact that repeaters transmit and receive on different frequencies. (Standard offset is 600 kHz in the 2 meter (144-148 MHz) band, 5 MHz in the 70 cm (440 MHz) band). 600 kHz is VERY close spacing at 144 MHz, which is why high-Q resonant cavities are needed, not L/C filters. They are needed because repeaters operate full-duplex (transmitting and receiving at the same time).

            Such a thing doesn't exist for WLAN cards because of the fact WLAN devices transmit and receive on the same frequency (but not at the same time.) T/R switching is usually handled by diodes. (A diode, despite what a poster said, WILL block RF if biased properly. But to RF, it's bidirectional, either on both ways or off both ways, depending on the DC potential across the diode) Plus even in the "off" state, they'll leak a bit.

            An isolator will allow RF to go in only one direction, while blocking RF going the other direction. These are expensive ($40-50 in quantities of 50+, probably more for one with coaxial connections).

            Still, you can put all you want in the antenna feedline to make sure RF goes only one way - The receiver LO is going to leak out of the device housing. It'll be weak, but it'll be there. It'll be a CW signal, which will make it easier to detect despite being weak.

            In RFMon mode, you don't need to take any measures to block RF going up the antenna feedline - The card will be stuck in receive mode with the transmitter shut down. Of course, the fact that your card is not transmitting means you can use a simple unidirectional preamp for receive rather than an expensive RF-sensing bidirectional amp. (These switch from receive to transmit when they sense RF coming from the transmitter).
    • by Andy Dodd ( 701 )
      The author mentions RFMON type sniffers in his article. While you can't detect the sniffer itself, it is easy to spoof such sniffers with bogus data that an RFMON sniffer can't validate (but an active sniffer can). Such data can be used to encourage the attacker to go active and hack right into a honeypot.
  • Don't we have to wait for Discovery to be launched before we can detect its applications?
  • oh oh... (Score:2, Funny)

    by citroidSD ( 517889 )
    This whitepaper is published in PDF format, so it must be serious! Unlike those HTML white papers written by script kiddies....
    • In case you don't happen to have a loaded Acrobat (loaded acrobat? don't let him on the high wire!), or if you can't bear to wait for Adobe's disclaimers to load, here's a quick-n-dirty HTML mirror [tripod.com] of the .pdf file. Ugly as sin: did it by pasting the text into Notetab [notetab.com] and using "convert to HTML".

      Yes, it's on Tripod, so beware the popups and banners. Whaddya expect from us skr1pt k1dd13z?
  • so how do you actually secure the WiFi network.

    Lets say I have DSL at my 5th floor apt. in downtown SF - i put a WiFi antennea up so I can roam to the cafe across the street - how do i keep any others off my network? cheaply?
    • only allow the MACs of your PDA/notebook/cellphone to connect and get an ip...

      sorry for the one liner, but pulling this off is very OS dependent, thus out of the scope of this posting.
      • Re:securing (Score:2, Informative)

        by rlangis ( 534366 )
        Not really. My RG-1000 AP has this ability in the firmware. Speaking of which, I really should enable that... ;)
      • Re:securing (Score:3, Insightful)

        by spinlocked ( 462072 )
        ...only allow the MACs of your PDA...

        Meanwhile I'll be a hypothetical man in a black hat at another table. I'll be watching you through two holes cut in a newspaper. When You've finished and switched off your PDA/notebook/whatever, I'll assume the MAC address which my PDA recorded you were using and start to upload illegal things through your DSL line. If you are using WEP, it'll take a hundred meg or so of your data to be transfered before I've got your key.

        Don't rely on MAC address filtering or WEP, this stuff was poorly thought out to start with. Use IPSec or SSH tunnels if you can, or failing that firewall off your access point from the rest of your apartment network and treat it like any other public network - insecure.

        • while your points are really valid here, I was talkin about keepin some kids from using your bandwidth, not stopping your favourite spy agency... ;)
      • MAC filtering doesn't actually work. On cheap APs, you can have multiple *identical MACs. There is no state table for MAC addresses on those APs, it's simply a variable.
    • you could use mac address filtering and all other
      provisions of security(such as 128Bit WEP with
      shared authentication only) and use IPSEC to
      encrypt the entire traffic. If not you could
      just create an ssh tunnel. Time to get a linux
      tablet PC?
    • Don't forget to change the standard SSID to something not easily guessed and turn off SSID broadcast. Use 128bit WEP as well. You will have to tell your PC what the SSID and WEP codes are for this to work but it should keep the average hacker out of your system. You should probably change your WEP code periodically just in case someone does manage to detect your setup and crack the WEP code.
    • Use a VPN. If you really don't want to let anyone else use your bandwidth (spoilsport), only let the WiFi connect to your server on your VPN port. You have to trust your VPN, but that's why they exist, right?

      My WiFi is outside my firewall, and I don't limit access at all. I'm in San Bruno, not SF, so there are not as many interested parties (none, most of the time). Depending on how friendly you want to be to your neighbors/visiting friends/passers by, you might route the WiFi traffic through your server but limit the bandwidth. This is getting to be real work, though...
  • what about forged MAC Addresses? Sure, it's more than the average Wardriver would do to get access, but changing MAC's isn't _that_ hard. But this is a neat white paper though.
    • Not only is it not difficult to forge your MAC, most (low-end) APs, with MAC filtering turned on, won't notice if you have two of the same MACs on at the same time. We've tested this, with some success. One would think it'd cause an ARP storm however...
  • can't detect that, right?

    and when they're using info found with it it's too late, right?

    better have it secure in the first place..
    i got a system like this on my door, if it's busted, i've been robbed.
  • by Anonymous Coward on Monday November 11, 2002 @07:19PM (#4646508)
    What do you do now?
    Go outside and kick ass on the guy with the laptop?

    You could sneak up behind him and strangle him with all that extra cat-5 you have lying around now.
    • EMP (Score:1, Funny)

      by zonker ( 1158 )
      well u could remove the threat completely with the help of a three letter friend.
  • AP Radar (Score:5, Informative)

    by dgp ( 11045 ) on Monday November 11, 2002 @07:24PM (#4646539) Journal
    A new style of network discovery is available in the linux 2.5 kernel and in 2.4.20. Jean Tourrilhes' [hp.com]
    Wireless Extensions for Linux version 14 and later contains a method to scan all channels for access points for a short period of time, then return to the wireless card's original state. This is implemented in the wireless drivers themselves so it works with any model of card. The 'iwlist' utility in the newer wireless tools suite will show this functionality.

    There is a GTK+ application I have written called AP Radar [sourceforge.net] that also makes use of this functionality. This utility has just reached a point where it can replace the need to run iwconfig and a dhcp client. Start the application and click on the ESSID that you want to associate to. AP Radar will set the ESSID and Mode of the wireless card, and launch a DHCP client (pump). Its meant as an end-user tool to simplify the process of connecting to an access point rather than a full featured net stumbler.

    The advantage to using AP Radar over a full blown net stumbler like kismet is that you stay associated with the access point you are using, while still scanning for new APs in the area. With kismet and the others, your association is lost and you must reconnect after you're done scanning.
    • A earlier post talking about triangulation the location of wireless users. Note that AP Radar does not do spacial positioning of an access point. The 'Radar' part of the name is just a name :)
  • use

    ps -ef | grep -i nets...

    to determine if you are running one of these applications

  • by Adam9 ( 93947 ) on Monday November 11, 2002 @07:47PM (#4646674) Journal
    I did some looking around on Google and found this paper [ozemail.com.au], which briefly covers the subject by suggesting a "security mesh" to prevent unauthorized access to wlans. Anyone with some insight in how [cost] effective this may be, or if there are any other solutions out there?
  • hopeless (Score:3, Interesting)

    by metalpet ( 557056 ) on Monday November 11, 2002 @07:49PM (#4646693) Journal
    Any WEP based network can be compromised by passively sniffing enough packets. After that initial work, the network is entirely open. At that point, the attacker cannot be detected by any means, yet he can sniff pretty much anything he wants.

    That alone is a very good reason to NOT plug a wireless access point to an internal network. If you don't have some sort of firewall between your access point and your internal network, you might be underqualified for your job.

    Given that, yes, you can detect freeloaders that are using your access point to surf the net. You cannot really block them, as MAC addys are easy to change. If that's really an issue, have the wireless network connected to nothing BUT your firewall, then force any wireless user to authenticate through the firewall you wisely installed. From there, it's a lot easier to monitor what happens to the firewall.

    I guess the detection technique is mostly useful for statistical purposes, as previous posts have mentioned.
  • by jjackson ( 83961 ) on Monday November 11, 2002 @07:56PM (#4646748) Homepage
    I am currently in an email conversation with LinkSys over the topic of securing a small WLAN that I set up to link my home network to my office (in a house across the street) and ran into a real problem with their WAP11 v2.2 AP's.

    With 2 AP's set up in ethernet bridge mode (Shick as Slit!), if I enable WEP, the AP's encryption will get out of sync in very short order under heavy traffic loads (such as FTP'ing a file across the network at full speed). Once out of sync, I have to reset both AP's. With WEP disabled, the AP's perform OK.

    After several tests I was able to reproduce these results each and every time... so I emailed LinkSys about their broken WEP support. Here is the response I got:

    Dear Mr. Joshua,

    Thank you for contacting Linksys Customer Support.

    With regard to the problem, can you provide the complete set up of your
    network? About WEP, it is advised that you disable WEP keys in your access
    point to avoid possible degradation of wireless transmission. The encryption
    causes your network to slow down in terms of wireless transmission because
    prior to transmission, the data are encrypted and decrypted at the receiving
    end. Hence, the result is to slow the efficiency of your data transfer. For
    a small network where there aren't much important files to be transferred,
    it is advised that WEP keys are disabled.

    About the firmware, the access point should have no problem connecting to
    one another although they have different firmwares.

    Have a nice day!


    Glythel Ria M. Penus
    Product Support Representative

    If you are wondering what the firmware issue is about, I noticed that one of the new AP's came with an undocumented revision of the firmware (1.01f), so I attempted to downgrade it the version listed on their web site (1.01c), which also happens to be the version that the other AP is running. It won't do a downgrade.

    So, for my solution, I used a firewall product that my company has developed to run IPSEC across an unsecured wireless link. Fortunately, in bridge mode, the Linksys AP's will only to the another WAP11 that has its MAC specified in the allowed list.

    Even if this wasn't my business LAN, how many people that need a wireless network never transfer anything "important"? More to the point, how many people don't care if the neighbor leeches Internet service off of the cable modem that they are paying for?

    This is not the first time I have seen this idiocy come from a vendor... my brother in law was recently instructed to remove the last several Windows Critical Updates from his Windows 2000 computer by an M$ phone-monkey, telling him that if it wasn't broke in the first place, that he shouldn't have tried to fix it.
    • yess.

      I have a linksys ap+router (befw11s4 I think) and it works fine in wide-open mode, but not so well either in WEP or MAC-restricted mode -- often needing resets to let my two clients associate with it.

      So it was cheap. I should have figured it was a piece of shit. (NB: it DOES work flawlessly in idiot mode tho, with the one restriction on requiring FTP downloads to be in PASV mode).

      Question: is the netgear box any better? Any other recomendations?
  • KIsmet saves the day (Score:4, Informative)

    by Phork ( 74706 ) on Monday November 11, 2002 @08:00PM (#4646785) Homepage
    The key point of this paper is that you cant detect passive monitoring(RFMON mode), so tools like kismet which usse it are not detectable. The only way to mess with these types of tools is to send out falsified data to confuse that scanner, but this will still not let you detect them.
    • It is still possible to detect a client in RFMON
      mode by using a very high gain antenna combined
      with some DSP to identify a possible listening
      of a 802.11 receiver since there is no FCC regulation for a receiving antenna gain:)
      • This might "work," but it seems rather farfetched... Isn't there a huge potential for interference as well? And it seems ridiculous to have people going around with massive high-gain (which usually, though not necessarily, infers a highly-directional antenna) antennas trying to find people sniffing their networks. Unless you have *really* secret data, this is probably overkill; if I was going to do this, I'd just run fiber... :)
        • Please show me an omni directional antenna with high gain(> 20Db). I would like to purchase one.
          • That was sort of my point -- omnis don't have the gain of a directional antenna. You can get a fairly high-gain omni (11 dBi+), but they're things like stacked collinear, and I'm not sure if anyone makes anything of that sort for the 2.4 GHz (802.11b) band. (I suppose it'd be pretty short, though.) Anyway, sorry if I wasn't too clear in my original post. If you find one, I'll buy a few too. ;)
            • I am in the process of building one (stacked and phased collinear antenna) using inexpensive
              materials, for an would be secure community
              network. If you are interested let me know.
              • This is a neat idea, although I can't honestly say I'd have any use for it -- I don't use any wireless products. (Although I do have a long-standing obsession with starting a wireless ISP...) If you happen to put up a webpage on it or something, I'd love it if you'd send me a link. (But don't make it just for me or anything.) Is it receive-only?
                • I will keep you updated. It is not receive only.
                  I found that it would be much cheaper to build
                  a special purpose antenna to overcome the requirements of a power amplifier apart from
                  increasing the penetration into homes with lot
                  of brick masonry.
          • You don't really need an omni directional antenna,
            you could always use a switched parabolic antenna,
            or even a rotating one. We are talking about ability to identify a potential listener and not
            talking about some rf glitch caused by a solar flare!.
      • by Phork ( 74706 )
        You're totally right on this, and theoretically it would work. A technique similar to this was used in some place(im thinking it was the UK) to detect unliscensed shortwave receivers. Basically how it worked was they went around with RDF(radio direction finding gear) tuned to common IFs(intermediate frequencies, if you dont know what this means, read a tutorial on heterodyne). Im not sure what kind of demodulating technique is used in 802.11b cards, so that technique may or may not work. I think im going to have to investigate this.
        • It should not be a big deal to design one for
          detecting ISM band emissions but will be a bit
          tricky due to the DSS modulation scheme which
          tend to scatter the available energy over the
          entire band. I do not think that there is any
          receiver that employs pure passive tuning(which
          is a theoretical possibility and limited by the
          availability of high Q resonators and narrow band
          tunable very low noise amplifiers).
  • by suwain_2 ( 260792 ) on Monday November 11, 2002 @08:13PM (#4646881) Journal
    That's funny, I'm working on a similar whitepaper: Detecting 802.11 Detector Detectors, to detect people trying to detect people trying to detect 802.11 networks. Including is some sample code to detect the detector detectors, but it seems to get into a nasty infinite loop, and I can't figure out why.
  • by indiigo ( 121714 ) on Monday November 11, 2002 @08:13PM (#4646886) Homepage
    Looking at wireless over the last two years is just mind boggling. There's no way to stay up to date on the latest security hacks and updates and firmware and make sure your mac addresses are in a database and this and that. It hardly seems worth the effort. Hell it's easier just bringing a spindle of cat6 and wiring up 1000bt or better around with you than deal with the networking mess.
  • by mocktor ( 536122 ) on Monday November 11, 2002 @08:34PM (#4647024) Homepage
    in response to all the people posting "so how do i stop evil k1dd135 using my bandwidth?" - why not just [freenetworks.org] stick to secure (ssh, https) protocols and share [consume.net] it?

    Granted this isn't suitable for a lot of business networks, but still - wouldn't it be cool if you could walk down the street and stay connected to icq without getting your ass kicked?
  • Can't get in my wireless home lan...

    ...cos I gave my laptop to a super-fine chick at work....*sniff* #;^(
  • Isn't sniffing a key component of a wireless network? Why is this something that needs monitoring? What needs monitoring is authentication on the wireless network, not looking for the network.
  • Trace Buster, Buster!
  • Why? (Score:4, Interesting)

    by Alex Belits ( 437 ) on Monday November 11, 2002 @10:51PM (#4647888) Homepage
    Why would anyone want to know if someone is trying to find his network? What horrendous insecurity may prompt one to waste his time on such a thing? Why not just make the goddamn network secure enough so whoever will run kismet/netstumbler/whatever will simply see that he can't use this network and leave it alone?
  • Invalid premise (Score:2, Flamebait)

    by Martin S. ( 98249 )

    Setting asside that ESSID discovery software is inherently passive.

    All this fuss and mud slinging over WiFi seems to be missing the point. It is build on an invalid premise. That 'this network' belongs to the AP owner. 802.11.b uses public airspace it does not belong to anybody it belongs to everybody just like the Internet backbone, it is designed to be open, and should remain so. If somebody wishes to use privatly for their secure traffic they should treat it as they would a PVC the net at large.

    Accept it is open technology standard and secure their machines and traffic as necessary as they would on the Internet at large. The physical network its self cannot and should not be closed.

When you make your mark in the world, watch out for guys with erasers. -- The Wall Street Journal