RE: MORE: Tools for Detecting Wireless APs - from the wire side.

From: R. DuFresne (
Date: 06/10/02

Date: Mon, 10 Jun 2002 15:45:05 -0400 (EDT)
From: "R. DuFresne" <>
To: Isherwood Jeff C Contr AFRL/IFOSS <>

the IPAQ methos, allows you to scan as you walk about your campuses, and
is cheap. My understanding is that an IPAQ, with the proper pcmcia cards
and such, with a 5 gig addon 'drive' card can be had for under $600. This
way, as one goes to meetings and such in different buildings, one is also
doing part of their real job at the same time.

MAC addresses can not only be spoofed and changed, but, looking at just
3Com, one gets an idea of the large number of MACs one has to keep track
of. ARPs fine, but, what about this that are not fully connected, and
also just sniffing APs? One needs to get a handle not only on the devices
in their network, but also the extent of how far their non-wired network
is actually pushed from their perimiter.. How far out in the airwavbes
are the devices about your campus pushing signals, and exposing
information? There's much more to 'exposure' here then merely can be
defined by MACs and ARP caches....


Ron DuFresne

On Mon, 10 Jun 2002, Isherwood Jeff C Contr AFRL/IFOSS wrote:

> I mis-typed myself.
> I called Netstumbler a "wrong answer" not because it is bad, or doesn't do
> the job, just NOT the job I'm looking for.
> Mainly, I'm trying to figure out a companion for wardriving with a Stumbler.
> Anyone who relies on only one method of scanning, is leaving themselves open
> to potential gaps in the scanner's ability to cover.
> A NETWORK - WIRED scan, detect method to compliment the wardriving Stumbler
> is helpful as a corroborative tool to help get a "second opinion" of
> sorts...
> The two prevailing methods seem to be using the ARP cached MAC addresses to
> ID potential APs, and NMAP'd fingerprints of nodes compared to a list of AP
> Fingerprints...
> -----Original Message-----
> From: Pierre Vandevenne []
> Sent: Monday, June 10, 2002 1:42 PM
> To: Isherwood Jeff C Contr AFRL/IFOSS
> Cc: 'Pen-Test'
> Subject: Re: MORE: Tools for Detecting Wireless APs - from the wire side.
> Hello Isherwood,
> IJCCAI> MOST received wrong answer ??
> IJCCAI> Netstumbler: Wardrive your own campus before they do.
> IJCCAI> This is not always a practical, or failsafe method. You
> IJCCAI> might miss an area, or your campus might be too big to
> IJCCAI> realistically do this (imagine a corporation or Edu that is
> IJCCAI> spread out over a mile or more, and your manpower is limited?)
> I don't think it is a "wrong" method. As a matter of fact, each time I have
> tried it in a favourable environment, it has found many more APs than other
> methods combined. If there is one thing that you can't hide it is the radio
> traffic. It's true that SNMP can, in some cases, be disabled. But MAC
> addresses can be changed as well.
> Large campuses are the easiest to scan. Get a high gain antenna and a golf
> cart and explore the area boustrophedonically.
> The most difficult places to scan are actually medium sized organizations in
> a "downton-like" environment, where you pick up a lot of stuff that doesn't
> belong to you or where APs will remain hidden because of the faraday cages
> properties of some areas.
> Interestingly, leaving aside the issue of regulations and power of emission,
> it is often much easier to stumble in the US than in Europe because of the
> wooden structure of many US buildings.

        admin & senior security consultant:

"Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart

testing, only testing, and damn good at it too!

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see:

Relevant Pages

  • >>> MAC SECURITY <<<
    ... mac home security ... free security software for mac ... internet security for mac ...
  • Re: the exploit that wasnt
    ... The other Mac Book Pro? ... brought Microsoft into a security discussion about Mac OS X. ... The number of security patches, ... if you were to scan random machines on the internet for a week, ...
  • Re: 13 MASSIVE holes found in Safari...
    ... And yet Apple releases monthly security updates. ... But most malware use the normal http port, ... that it's OK because he's on a Mac and Macs are 100% safe). ...
  • Re: The Myth of the secure Mac
    ... >> yes, it's in Tiger, perhaps you didn't read the Security Brief as you ... the real reason is they can't break a mac. ... Plug your Mac into Linux box acting as DHCP server ...
  • Re: [Full-Disclosure] Anti-MS drivel
    ... News ... Apple released Security Update 2003-12-19 described to offer numerious ... Apple released 10.3.2 accessable via the software update pane in Mac OS X. ...