December 30th, 2003, 05:35 PM
Packet sniffer and Wireless networks
I just want to know if I understand some things right.
1st : A packet sniffer can be used on an "entire" ethernet network because all the computers receives all packets (if they are on the same network), even if the packets are not for them? (It's the "promiscuous mode" of the ethernet card)
2nd : some wireless network are not password protected and allow anonymous users to log in. So you could log in such networks and packet sniff all the network too?
I guess that those kind of network use some kind of encryption packet or something?
Here are some answers I found by searching.. Some other inputs by experimented (or not) users would be appreciated
Is it secure?
In order to facilitate access to the AirSpot Wi-Fi Hotspot, most security options are disabled. While no AirSpot user can connect to any other AirSpot user directly, a malicious user can spy on what traffic is passing through.
You may see literature saying that the 802.11b standard includes provisions for optional 40- or 128-bit link-level encryption over the air, however, current implementations require the encryption key to be shared by all users of the wireless LAN, effectively eliminating the usefulness of this security feature in an open-access environment.
In short, it is no more and no less secure than a regular internet connection, and should be dealt with as such.
3) Is that possible (I'm not asking how) to sniff a wireless network without being logged onto it? I guess that's the point of the encryption in my quote.
4) I'm not sure about the security with wireless networks. You could go into a parking lot of a company at 3 am (when nobody is there for checking the network), you just check for lights (to see if a network admin would be there or something) and if there is nothing, you are free to try whatever you want with the network. Try to break in etc.. Isn't it the hacker's paradise here? Or maybe I'm missing something? :|
Simply find the SSID for the network, configure your WLAN card to use that SSID with no WEP encryption and to use dynamic addresses, and voila, you are now on the network. You can surf the Internet, scan the internal network, print to their printers, and so on. It can be that simple.
I'm scared... What will it happen when our refrigirators and cars will be hooked up on the Net with wireless devices? "Someone hacked my butter!", "My cars is talking to me". ok ok, not funny.
Here is another interesting link : How to build an antenna for like 5 bucks, with a pringles can : http://www.oreillynet.com/cs/weblog/view/wlg/448
December 30th, 2003, 07:57 PM
1. It depends on the physical pieces of the ehternet network. If your LAN is composed of hubs, then you are correct, a hub recieves traffic on one port, and sends it out to all ports. If your network uses switches, then this is not correct, the default behavior of a switch is to recieve traffic on one port, and then send that traffic on to only the port which is connected to the device for which the traffic is destined, although "broadcast traffic" are destined for all machines so are sent out on all ports.
2. This also depends on the actual hardware and how they are configured. If you have a wireless access point which is configurured to simply act as a wireless hub, then yes, it will send all the traffic accross the wireless, which it recieves from the network( I configured either an airport, or a linksys to do exactly this once, when testing something) if it is functioning as a nat router, then it will not do this. Again, it also depends osmewhat on whether the rest of your network is a hub or switch network how much traffic could be sent this way.
4. One of the things about breaking WEP on a wireless network is that there needs to be traffic on the network in order for you to get enough weak packets to crack it. This means that unless the wireless network in question has lots of stuff hooked up to it all the time, which are used all the time, trying to capture enough packets to break WEP at 3 am when no one is using the network is likely not going to be easy. However, you certainly could sit in the parking lot at any time when the wireless netowkr in question is at a high usage level, and collect enough data. It does need to be a high usage level though, I tried using airsnort to break WEP on a wireless network which I set up for a test once, and after leaving it running for several hours sniffing the network which only had one wireless machine on it, it was only slightly down the road to capturing enough weak packets. I figured out that it would take more than a month to get enough data on that wireless network with only one node, which was only active only a little bit. If you have a high number of wireless users, that time decreases by a lot.
There are other ways of securing wireless authentication which get arround the weakness of WEP to a certain extent( radius with EAP/TLS or EAP/TTLS, or EAP/MD5 perhaps, even WPA which is something new ........) so simply finding a wireless network and sniffing it for a long time might not even be anough to crack it.
December 30th, 2003, 09:57 PM
You're answer for number 1 is not completly true. Its a good start, but it is possible to sniff traffic over switched networks using arp poising. If someone is using linux it can be done with ettercap.
December 31st, 2003, 02:41 PM
you are correct, that is possible, I probably should have mentioned it.
January 31st, 2004, 02:18 AM
just to mention: i'm programming a wep-cracker... it still needs a couple of hours to break it, but even with lower traffic, it should be able to break the 128bit wep within a day...
The following statement is correct.
The previous statement is false.
January 31st, 2004, 03:45 AM
sorry to hit the nail twice...
but even if the network is switched, once it reaches the wireless router the packet is still broadcasted (at least in all of my studies) and thus recreating the hub senario.
February 3rd, 2004, 05:20 PM
How much info and how much access you can get from a wireless network depends on how much effort the IT people that set it up put into securing it, as well as the rest of the physical LANs setup (as has already been mentioned).
There are several easy, built in, ways to keep the casual “war driver” or park bench surfer out of your wireless network, yet so few network admins take the time to even attempt to enable them.
An example of one of the better security measures that hasn't been mentioned in this thread yet is MAC address filtering.
MAC address filtering allows you maintain a list of NIC card MAC addresses that are approved for accessing the wireless network. In theory, any packets sent from an unapproved MAC address are dropped and not allowed access to the network.
While filtering MAC address access on your wireless network may become pretty labor intensive (you may have to manually maintain a list of your companies NIC card Mac addresses) if you have a large number of computers, I believe it's well worth it.
And yes, MAC addresses can be spoofed so this isn't a fool proof, but MAC address filtering can add one more layer of deterrence when combined with WEP, disabling SSIDs, and changing default router/access point passwords.