my wireless has an intruder

Printable View

Show 40 post(s) from this thread on one page

March 1st, 2005, 08:19 PM
ShagDevil

jdenny, very nicely put.

Quote:

Also, disabling SSID broadcast won't prevent a sniffer getting the SSID, since the SSID is sent in the clear in the probe message when a client associates to an AP.

Quote:

MAC addresses are also transmitted in the clear text. In a dynamic environment, I won't try to configure APs for each and every trusted client

Bingo.
I was recently surprised to find out just how much information is "in plain site" even with a wpa-psk encrypted wireless network. The Client/AP association exposes a great deal of information. So much in fact, that the only true saving grace against a determined cracker is a good passphrase (as you mentioned).

I have a question about the evil twin subject.

Quote:

Legitimate wireless clients will find a SSID-broadcasting APs easier

Let's say someone creates an evil twin of my wireless network using the same SSID. In my wireless networking configurations (on wireless clients), I automatically connect to preferred networks. Since this evil twin has the same SSID, will the wireless clients scanning for active wireless networks automatically assume this is my preferred network since it has the same SSID? In addition to that, using my network as an example, which uses WPA-PSK encryption. Won't the passphrase be incorrect when one of my wireless clients tries to connect to this evil twin?(assuming whomever setup the evil twin doesn't know my passphrase). We don't have login prompts as it's an automatic connection so any login prompts will be a good indication of a bogus AP.
March 1st, 2005, 09:30 PM
Jebo Majku

try running AirSnare

sorry if someone mentioned this already.
March 1st, 2005, 09:44 PM
Linen0ise

Use WEP or WAP, use stored keys and use mac filtering.... When you feel paranoid, scramble/create another unique key pair.
March 1st, 2005, 09:49 PM
guardian alpha

Quote:

I automatically connect to preferred networks. Since this evil twin has the same SSID, will the wireless clients scanning for active wireless networks automatically assume this is my preferred network since it has the same SSID?

It depends, really. You should NEVER EVER EVER connect by SSID. In fact, IIRC, Windows does the method I'm about to talk about, automagically. Always connect by MAC address of the WAP. Sure, they can twin a SSId, but they can't twin a MAC. So, always have your connect check the MAC address it is connecting to before allowing a full handshake. Windows will keep settings of which AP's you connected to before and thus automagically reconnect them to you again. I'm pretty sure that method too checks the MAC address rather than just the SID.

This usually nullifies evil-twin attacks, which leaves me wondering why they even work in the first place.
March 2nd, 2005, 12:49 AM
fraggin

I worked at a distribution center that had 15 acres of covered warehouse that was within RF range of Interstate 20. It was not uncommon to see people parked on the side of the interstate with RF antenna's on their vehicle. We were also war chalked on a few sites. It was one of my jobs to secure the 30 cisco aironet AP's they had. I got a list of MAC addresses that used the devices and did MAC filtering and ACL configuration to keep things secure. It worked out ok and it was secure. Unless you had a MAC address that was in the ACL, you were pretty much only limited to seeing a signal.
March 7th, 2005, 02:03 AM
phishphreek

Quote:

It depends, really. You should NEVER EVER EVER connect by SSID. In fact, IIRC, Windows does the method I'm about to talk about, automagically. Always connect by MAC address of the WAP. Sure, they can twin a SSId, but they can't twin a MAC.

Why can't they? I can set my MAC to whatever I want...
macchanger

I can also broadcast plenty of counterfeit APs with the same SSID and MAC...
fakeap

Has anyone checked out the products from http://www.airdefense.net/ ?

Looks like they have some worthy products... they even have a "personal" version....

I keep requesting trial versions of their various product but they have not emailed me links.
I'm not putting in real contact info except for my "spam" email address...

Maybe since I'm not putting in real contact info, they won't let me try it out?

I would put in real info... but I don't want to be hounded by the sales people after the "trial" period. Its happened time and time again. I can't find anywhere to download it either... :(
March 7th, 2005, 02:45 AM
ZT3000

A much simpler and surer method of solving the evil twin problem is to: 1. Go into your closet, 2. Grab that baseball bat, 3. Start hunting the offender.

Heh! :D

ZT3000
Beta tester of "0"s and "1's"
March 8th, 2005, 12:19 AM
aenema

Why don't you try to remove the intruder's SSID on the profile?

Show 40 post(s) from this thread on one page