Re: Wireless Lans give EVERYONE ACCESS

From: diphen@agitation.net
Date: 08/07/01 

From: diphen@agitation.net
Date: Mon, 6 Aug 2001 16:46:38 -0700
To: Russell Handorf <rhandorf@mail.russells-world.com>
Subject: Re: Wireless Lans give EVERYONE ACCESS
Message-ID: <20010806164638.B79695@zeus.agitation.net>

Perhaps I'm on crack, but I've never encountered a MAC address of the
format "127.0.0.1". That is typically known as an IP address. A MAC
address is the physical ethernet address of the card. It typically has a
format like:

ether 00:d0:09:1e:be:04

While some cards allow you to change the MAC address, and this is
certainly a problem for networks which use MAC-based authentication, I
don't think that's what you were doing.

-gabe

On Mon, Aug 0 , 2001 at 05:21:08PM -0400, Russell Handorf wrote:
> Traditional authentication with wireless lan's consist of the following
> simplified procedure:
> 1). Wireless nic asks for an IP
> 2). Base station checks to see if the MAC Address can be passed.
> 3). If the authentication is successful then the DHCP server leases an IP
> to the Wireless nic.
>
> Today, I have circumvented the MAC Address authentication method, and had
> also sniffed successfully on a switched network with wireless stations on
> it without authentication into the network.
>
> For sniffing onto a wireless network without a registered MAC Address AND
> using WEP Encryption Methods:
> 1). Set the MAC Address of the card to 127.0.0.1 and the Netmask to 255.255.0.0
> 2). The card takes care of the rest. Just sit back and listen to the sounds
> of the network (NOTE: There will NOT be any DNS RESOLVING and quite
> possibly NO IP's will show up, only the computers MAC Addressed) (Double
> NOTE: All you need is another machines MAC Address to start a
> Man-in-the-Middle).
>
> For Getting an IP Address for Internet Connectivity:
> First Method requires that you have already sniffed on the network for an
> extended amount of time. Needed information is the IP Ranges, Netmask, and
> Gateway of the Lan. All of this can be acquired through HUNT. All you do is
> sift through the data generated, find an IP that hasn't sent any traffic
> take it and configure the other things (such as Netmask and Gateway manually).
>
> Second method requires you to have physical access to the lan. Take a
> hardwired nic and spoof it's MAC Address to that of the wireless nic's
> address. Run a command like 'pump,' swap cards and you should be on the
> network.
>
> The following instructions were executed on a Dell laptop with Redhat 7.0.
> The Ethernet card that was used is a Xircom 10/100 56k Combo thingy and the
> wireless lan card is a Lucent Technologies Wavelan Gold Turbo 128RC4.
>
> The base stations that these were tested on is a D-Link 1000AP, Orinoco
> AP-1000 Access Point, Orinoco COR-1100, and Cisco Aironet 350 Series.
>
> Will someone else please confirm that this is successful?
>
>
> Thanks
>
> Russ
> ==================================
> Russell Handorf
> oooo, shiney ::Wanders after it::
>
> www.russells-world.com
> www.inside-aol.com
> www.terrorists.net
> www.bad-mother-fucker.org
> www.philly2600.net
>
> "Computer games don't affect kids, I mean if Pacman affected us as kids,
> we'd all be running around in darkened rooms, munching pills and listening
> to repetitive music." ~unknown
> ==================================

Quantcast