On Fri, May 24, 2002 at 12:40:03PM -0700, Ford Chiang wrote: > Does Kismet find networks that do not broadcast their SSID? if it doesn't > then your numbers won't include networks that have secured themselves in > this way. I recently bought a dlink DWL-900AP which is a clone of the > WAP11. Using the Atmel SNMP util I turned off SSID broadcasting, turned on > Netstumbler and didn't see my network listed. Basically you can't count > what you don't see so your assuming it's not there. > I also used the MAC address filtering (yes, yes I know it's easy to fake > but it raises the bar a little bit) which I don't know if it counts as > security from your perspective. > The number of DHCP leases I've allow is also equal to the number of > machines I have too. > how would these measures count towards being protected? what's > considered protected and what's not?
Kismet detects cloaked networks that have client traffic on them, so yes - if there is any traffic on the network, it will be seen and counted. Obviously if it's a non-beaconing network that has no data traffic, it's not putting anything into the airwaves and NOTHING is going to see it. If you run kismet in the vicinity of your AP while, say, browsing, it will be seen just as well as if beaconing was enabled. Kismet also uncloaks hidden SSID's by watching for probe req/response pairs of clients joining the network - so if someone reboots or re-associates due to a weak signal while kismet is in range, the SSID is exposed. Check the kismet mailing list archives for an interesting discussion about several ways to forcibly flood a network with noise, causing all the clients to loose their link and issue a probe req. (2.4ghz herf gun being the most extreme, and a microwave being relatively low tech, which doesn't address protocol-level attacks like spoofing the MAC of the AP and telling the client to reconnect). Personally, I'm fairly strongly opposed to SSID cloaking and non-beaconing AP's - not because it's worthless, but because too many people take it as the be all of protection, when all it gives is, in reality, a slight shield from the casual observer but anyone who has any drive to get at the data will do so. It falls into the same category as turning off servers at night, in my mind - it narrows the window of attack to some degree, but it's not going to save you. As far as using mac filtering and dhcp leases, i don't personally see that as a large deterrent. It's trivial to hijack a MAC and renew the lease as that MAC, or to bypass DHCP entirely. > I don't want to come across as harsh or critical but there have been a lot > of the Netstumbler/wardriving style of surveying wireless network security > but some of the assumptions made by these surveys have holes in them. You > can add in usage of application level encryption, ipsec, or vpn as > security measures that don't show up on these surveys. Are there that many > networks that are insecure if we're to take these things into account? How > many people have actually gone to the trouble of looking a little deeper > than finding an SSID and checking for WEP in doing one of these surveys? Kismet doesn't do VPN fingerprinting yet, but it's on the list of things to be implemented. Examining the data stream for VPN headers should be fairly trivial and will add some more accuracy to the encrypted/weak ratio. A quick glance over the data logs from kismet (which records the contents of all the packets in the air, if you're not familiar with how it works), the majority of these networks ARE truly completely unprotected. If you want an even more reliable guage, look at the percentage of default configurations. If an installation didn't even bother to reconfigure the WAP off factory defaults, I HIGHLY doubt they're protected by any other means. I've lost count of the number of wap11's on broadband links with SNMP enabled and a writeable community name of 'private' because nobody bothered to reconfigure it. So yes, while the statistics CAN be misleading because WEP isn't the only answer out there, the number of un-wep'd VPN networks isn't, in my experience, high enough to make a significant impact on the numbers, and since I'm only fingerprinting a fraction of the manufacturer default setups at the moment and still seeing 25% total, I don't see that number going down any as the monitoring tools advance. -m > > > Message: 3 > > Date: Thu, 23 May 2002 22:33:54 -0400 > > From: Mike Kershaw <[EMAIL PROTECTED]> > > To: Apolinaras Sinkevicius <[EMAIL PROTECTED]> > > Cc: [EMAIL PROTECTED] > > Subject: Re: [BAWUG] Open WLAN systems in Chicago. Found more than a 100 in less >than 2 minute drive. > > > > A recent trip down the eastern side of manhattan with Kismet running yielded > > approximately 300 networks, all visible from FDR drive alone. > > > > 23% were encrypted. > > > > 25% matched fingerprints of default configurations that had never been changed > > before being installed. This number is in reality much higher but I don't have > > fingerprints for all of them. > > > > By far, the majority of wireless lan installations are STILL unprotected, > > despite the number of articles and other press coverage. > > > > -m > > > > On Thu, May 23, 2002 at 07:23:19PM -0700, Apolinaras Sinkevicius wrote: > > > I have deployed a WLAN in my office today, and since I > > > was trying to test it with Netstumbler, I thought I > > > will take the top down on my Jeep and also drive > > > through Lake Shore Dirve and see how many access > > > points are wide open, to my surpirse right arround > > > 3600 N. Lake Shore Drive Netstumbler just went NUTS! > > > I am cancelling my cable internet service putting a > > > nice antenna in my highrise and I will have a CHOICE. > > > Wow, think about it, all of us IT managers fight spam > > > like crazy, but now anybody who has understanding of > > > WLAN can just attach themselves to those AP's and spam > > > spam spam. > > > As they say, every good thing has a bad side to it. > > > > > > Apollo > > > > > > -- > general wireless list, a bawug thing <http://www.bawug.org/> > [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless -- Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. I have a catapult. Give me all your money, or I will fling an enormous rock at your head -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
