I sent a message to the guys that developed AirSnort asking
about how easy it would be to get the MAC address from the transmitted
data using a monitor like AirSnort. Here is the mail that I sent them
with their response.
Virtually,
MarC Eiler
---cut here---
> Does AirSnort monitor the MAC addresses of the traffic that is
being
> transmitted? When you figure out what the encryption password is, at
that
> time can you find out what MAC addresses are being used?
> The reason why I ask is that I've been in a discussion on a
> SecurityFocus.com mail thread about wireless network security and we
were
> wondering if a MAC address could be discovered using this software.
> Assuming that the admin locked down the wireless LAN by adding in the
valid
> MAC addresses into the transceivers, this could be bad if somebody was
able
> to find out a valid MAC address and then program a wireless card with
the
> same address, thus being able to authenticate themselves with the
> information that they were able to observe using AirSnort. How
realistic do
> you think this would be? Thanks, in advance, for your help.
>
> Virtually,
> MarC Eiler
>
AirSnort as it stands ignores the MAC address, but it is in the packet
data, and it's not even encrypted, thus with three lines of code one
could
gather the MAC addresses. Other programs currently do gather this info.
In fact, the new 0.2.0 version may actually do it as well. So yes, with
AirSnort, one could get the WEP key and using stumbler or prismdump or
the
new AirSnort one could get a valid MAC address, and actually join a
'secure' network.
In fact, the MAC address part is very easy in comparison to the
difficulty
of the WEP cracking, which takes monitoring the systems for quite a
while.
Still, it's very reasonable in practice if one can find a place to stick
a
machine with an antenna on your target for a day or two.
-Jeremy Bruestle
[EMAIL PROTECTED]
---cut here---
-----Original Message-----
From: Trevor [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 05, 2002 8:58 AM
To: [EMAIL PROTECTED]; Marc Eiler (Volt); Hornat, Charles;
[EMAIL PROTECTED]
Subject: Re: detecting wireless access points
Even if you had your setup as an AdHoc system running VPN over it?
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Trevor S" <[EMAIL PROTECTED]>; "Marc Eiler (Volt)"
<[EMAIL PROTECTED]>; "Hornat, Charles"
<[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, March 05, 2002 4:02 AM
Subject: RE: detecting wireless access points
> Yes, they do.
>
> D. Weiss
> MCSE/CCNA/SSP2
>
>
> -----Original Message-----
> From: Trevor S [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 04, 2002 5:28 AM
> To: Marc Eiler (Volt); Hornat, Charles;
> [EMAIL PROTECTED]
> Subject: Re: detecting wireless access points
>
>
> Do sniffers like AirSnort detect the MAC addresses of the devices that
are
> being used?
>
> On Thursday 28 February 2002 04:36 pm, Marc Eiler (Volt) wrote:
> > Depending on the brand of transceiver that you are using, you
> > may be able to add all of the MAC addresses of the access points
that
> > you are using into the transceiver's DB. I used a Lucent WaveLAN
> > wireless network, and we were able to prevent anybody from
connecting
> > unless we had entered the MAC address into our DB. I realize that
this
> > doesn't address the question of "how do I discover if a rogue is
> > connected", but this information may be able to allow you to not to
have
> > to worry about the need to detect rogue connections.
> >
> > Virtually,
> > MarC Eiler
> >
> > -----Original Message-----
> > From: Hornat, Charles [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, February 22, 2002 1:22 PM
> > To: [EMAIL PROTECTED]
> > Subject: detecting wireless access points
> >
> > What is the best method to discover rogue wireless access points on
your
> > network? Other than the obvious, buy a laptop with a wireless card
and
> > search theory. Is there a network tool that would detect a wireless
> > access point being plugged in?
> >
> > As a security administrator, I would like to have the ability to
know if
> > a user has purchased an access point and plugged it into my network.
> >
> > Any thoughts are appreciated.
> >
> > mrcorp
> >
> >
> > ________________________________________________________________
> > The information contained in this message is intended only for the
> > recipient, may be privileged and confidential and protected from
> > disclosure. If the reader of this message is not the intended
recipient,
> > or an employee or agent responsible for delivering this message to
the
> > intended recipient, please be aware that any dissemination or
copying of
> > this communication is strictly prohibited. If you have received this
> > communication in error, please immediately notify us by replying to
the
> > message and deleting it from your computer.
> >
> > Thank you,
> > Standard & Poor's
>
>
>
