-
March 1st, 2005, 08:19 PM
#11
jdenny, very nicely put.
Also, disabling SSID broadcast won't prevent a sniffer getting the SSID, since the SSID is sent in the clear in the probe message when a client associates to an AP.
MAC addresses are also transmitted in the clear text. In a dynamic environment, I won't try to configure APs for each and every trusted client
Bingo.
I was recently surprised to find out just how much information is "in plain site" even with a wpa-psk encrypted wireless network. The Client/AP association exposes a great deal of information. So much in fact, that the only true saving grace against a determined cracker is a good passphrase (as you mentioned).
I have a question about the evil twin subject.
Legitimate wireless clients will find a SSID-broadcasting APs easier
Let's say someone creates an evil twin of my wireless network using the same SSID. In my wireless networking configurations (on wireless clients), I automatically connect to preferred networks. Since this evil twin has the same SSID, will the wireless clients scanning for active wireless networks automatically assume this is my preferred network since it has the same SSID? In addition to that, using my network as an example, which uses WPA-PSK encryption. Won't the passphrase be incorrect when one of my wireless clients tries to connect to this evil twin?(assuming whomever setup the evil twin doesn't know my passphrase). We don't have login prompts as it's an automatic connection so any login prompts will be a good indication of a bogus AP.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
March 1st, 2005, 09:30 PM
#12
Banned
try running AirSnare
sorry if someone mentioned this already.
-
March 1st, 2005, 09:44 PM
#13
Use WEP or WAP, use stored keys and use mac filtering.... When you feel paranoid, scramble/create another unique key pair.
-
March 1st, 2005, 09:49 PM
#14
I automatically connect to preferred networks. Since this evil twin has the same SSID, will the wireless clients scanning for active wireless networks automatically assume this is my preferred network since it has the same SSID?
It depends, really. You should NEVER EVER EVER connect by SSID. In fact, IIRC, Windows does the method I'm about to talk about, automagically. Always connect by MAC address of the WAP. Sure, they can twin a SSId, but they can't twin a MAC. So, always have your connect check the MAC address it is connecting to before allowing a full handshake. Windows will keep settings of which AP's you connected to before and thus automagically reconnect them to you again. I'm pretty sure that method too checks the MAC address rather than just the SID.
This usually nullifies evil-twin attacks, which leaves me wondering why they even work in the first place.
\"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
- Charles Darwin
-
March 2nd, 2005, 12:49 AM
#15
Senior Member
I worked at a distribution center that had 15 acres of covered warehouse that was within RF range of Interstate 20. It was not uncommon to see people parked on the side of the interstate with RF antenna's on their vehicle. We were also war chalked on a few sites. It was one of my jobs to secure the 30 cisco aironet AP's they had. I got a list of MAC addresses that used the devices and did MAC filtering and ACL configuration to keep things secure. It worked out ok and it was secure. Unless you had a MAC address that was in the ACL, you were pretty much only limited to seeing a signal.
There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.
-
March 7th, 2005, 02:03 AM
#16
It depends, really. You should NEVER EVER EVER connect by SSID. In fact, IIRC, Windows does the method I'm about to talk about, automagically. Always connect by MAC address of the WAP. Sure, they can twin a SSId, but they can't twin a MAC.
Why can't they? I can set my MAC to whatever I want...
macchanger
I can also broadcast plenty of counterfeit APs with the same SSID and MAC...
fakeap
Has anyone checked out the products from http://www.airdefense.net/ ?
Looks like they have some worthy products... they even have a "personal" version....
I keep requesting trial versions of their various product but they have not emailed me links.
I'm not putting in real contact info except for my "spam" email address...
Maybe since I'm not putting in real contact info, they won't let me try it out?
I would put in real info... but I don't want to be hounded by the sales people after the "trial" period. Its happened time and time again. I can't find anywhere to download it either...
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
March 7th, 2005, 02:45 AM
#17
A much simpler and surer method of solving the evil twin problem is to: 1. Go into your closet, 2. Grab that baseball bat, 3. Start hunting the offender.
Heh!
ZT3000
Beta tester of "0"s and "1's"
-
March 8th, 2005, 12:19 AM
#18
Why don't you try to remove the intruder's SSID on the profile?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|