RE: Mapping wireless LANS from the wired side

From: Joe Shaw (jshaw@insync.net)
Date: 08/21/01 

Date: Mon, 20 Aug 2001 18:51:50 -0500 (CDT)
From: Joe Shaw <jshaw@insync.net>
To: <Mike.Ruscher@CSE-CST.GC.CA>
Subject: RE: Mapping wireless LANS from the wired side
Message-ID: <Pine.GSO.4.33.0108201727130.24598-100000@vellocet.insync.net>

On Mon, 20 Aug 2001 Mike.Ruscher@CSE-CST.GC.CA wrote:

> There is no guarantee that war-driving will find them all, especially when
> they may roam and not always be up when sniffed by a wireless system. In any
> case, this is irrelevant to the requirement at hand.

I've done it both ways. I worked for a large company that used
802.11b to provide connectivity to the desktop. Coming from the wireless
side was a lot more effective and yeilds better results. I understand
you're working within a set of guidelines here, but using a hammer to
drive screws is counterproductive unless you just like wasting time.

There's no need for sniffing involved. With an Aironet or Cisco card and
the Cisco signal software I can walk around 802.11b enabled facilities and
get the signal strength, signal quality and name of the AP I'm associated
with. As I walk around, I associate with more powerful AP's. There's no
way to do this from the wired side. It's the same principle as "war
driving" but on a much smaller scale. This can easily be done with the
BSD's as well. Just loop ancontrol or equivalent for your card and record
the AP you're associated with. Some of us have been doing this in
business districts since last year when we found a lot of people were
using 802.11b in Downtown Houston. It started innocently enough by just
wanting to test the signal strength of our own AP's. Sadly, others
published before we even thought about doing it, but such is life.

> It's like finding dial-up modems from the network side, not by war-dialling
> (or by war-driving in this instance). In this case it should be a lot
> easier, since everything is TCP/IP still. A list of company device/MAC
> associations is all that would be necessary is my guess and not just
> company/MAC associations. Collecting them is not a great hardship I suppose
> though, by time-consuming and forever requiring support to be fresh and
> complete.

The problem is that some manufacturers aren't using different MAC
addresses to diferentiate their wired stuff from their wireless stuff.
Furthermore, some manufacturers don't even make their own wireless
equipment and OEM it from others. Xircom cards are OEM Cisco/Aironet.
Dell is OEM Orinoco. I'm sure there are counltess others. Furthermore,
an AP does not necessarily need a vaild IP address to put traffic on the
wired network or be wired to sniff from the wireless side.

If you want to be really evil, you don't even us an AP. Just build a very
small PC (libretto?) running whichever BSD or Linux you want, put in an
Aironet card, start dsniff and you're done. It will never be found by
anyone looking without real RF gear unless you don't hide it well. The
reason is that I've found that when I put my Aironet 4800 PC card into
promiscuous mode it completely loses the ability to send any information,
including it's MAC address for ARP requests. Put it in monitor mode, and
you get raw 802.11 frames (for useful things like cracking WEP) with the
same end result of no transmission of packets. I do not take credit for
the libretto idea, as it was not mine. There are many of us doing our own
wireless research, and we're all starting to collaborate now. By the end
of summer you'll see a lot more in the area of 802.11b attack tools.
Take a look at sourceforge and you'll find several public projects. I
know of at least twice that many currently being developed under wraps.

Regards, 

--
Joseph W. Shaw II
Network Security Specialist/CCNA
Unemployed.  Will hack for food.  God Bless.
Apparently I'm overqualified but undereducated to be employed.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Group Policy loading
    ... it seems to be a problem with XP, not the Dell drivers): ... connecting to a Buffalo WLA-G54 Wireless Access Point. ... logon') option to make Windows XP wait for the network to ... file to match that of the Dell TrueMobile card. ...
    (microsoft.public.win2000.group_policy)
  • Re: WAP54Gs with WPA not handing out IPs from SBS2003 server
    ... Do you have enough IP addresses in the DHCP pool on the DHCP server? ... There's not even 50 machines total on the network. ... I'll assume you're running Windoze XP Home using Wireless Zero Config ... With the PCMCIA card, it's the WZC software. ...
    (alt.internet.wireless)
  • Re: WAP54Gs with WPA not handing out IPs from SBS2003 server
    ... Do you have enough IP addresses in the DHCP pool on the DHCP server? ... There's not even 50 machines total on the network. ... I'll assume you're running Windoze XP Home using Wireless Zero Config ... With the PCMCIA card, it's the WZC software. ...
    (alt.internet.wireless)
  • Re: Wierd wireless probelm
    ... I can release an renew the ip address, but only very rarely can I connect to the router and or the internet. ... I have reinstalled the OS, the PC card adapter software, the PCMCIA socket. ... Google win98 wireless to find many links to making wireless on Win9x work. ... If you can see the signal strength, then the card software is functioning. ...
    (comp.sys.laptops)
  • Re: what do i need to wirelessly network my house
    ... wireless router and a wi-fi card for your PC. ...
    (alt.internet.wireless)