COMMAND

    Wireless Lans

SYSTEMS AFFECTED

    Wireless Lans

PROBLEM

    Russell  Handorf  posted  following.   Traditional  authentication
    with wireless lan's consist of the following simplified procedure:
    1). Wireless nic asks for an IP
    2). Base station checks to see if the MAC Address can be passed.
    3).  If  the  authentication  is  successful  then the DHCP server
        leases an IP to the Wireless nic.

    For  sniffing  onto  a  wireless  network without a registered MAC
    Address AND using WEP Encryption Methods:
    1). Set the IP  Address of the card  to 127.0.0.1 and the  Netmask
        to 255.255.0.0
    2). The card takes care of the rest.  Just sit back and listen  to
        the sounds  of the  network (NOTE:  There will  NOT be any DNS
        RESOLVING and quite  possibly NO IP's  will show up,  only the
        computers  MAC  Addressed)  (Double  NOTE:  All  you  need  is
        another machines MAC Address to start a Man-in-the-Middle).

    First  Method  requires  that  you  have  already  sniffed  on the
    network for an extended amount of time.  Needed information is the
    IP Ranges, Netmask, and  Gateway of the Lan.   All of this can  be
    acquired  through  HUNT.   All  you  do  is  sift through the data
    generated, find  an IP  that hasn't  sent any  traffic take it and
    configure the other things (such as Netmask and Gateway manually).

    Second method  requires you  to have  physical access  to the lan.
    Take a hardwired  nic and spoof  it's MAC Address  to that of  the
    wireless nic's  address.   Run a  command like  'pump,' swap cards
    and you should be on the network.

    The following  instructions were  executed on  a Dell  laptop with
    Redhat 7.0.  The  Ethernet card that was  used is a Xircom  10/100
    56k  Combo  thingy  and  the   wireless  lan  card  is  a   Lucent
    Technologies Wavelan Gold  Turbo 128RC4.   The base stations  that
    these were tested  on is a  D-Link 1000AP, Orinoco  AP-1000 Access
    Point, Orinoco COR-1100, and Cisco Aironet 350 Series.

SOLUTION

    This point has been made  re+peat+ly by the White-Hat (and  other)
    communities.  Wireless lans are totally public.  Furthermore, most
    people don't  even use  WEP!   So everything  is cleartext.  There
    was  a  great  presentation  at  DefCon  about  hacking   wireless
    networks.  There are  something like 40 accessible  WAPs (wireless
    access  points)  from  the  corner  of  First  and  Market  in SF.
    (That's the  financial district  for those  not in  the bay  area)
    Only 40% of all  WAPs were running WEP,  and of these running  WEP
    only  15%  were  actually  secure  (running  IPSEC  or  some other
    variant).

    Use vpn for authenication.  We would go a step further and say  to
    use IPSEC  between machines  and the  vpn server,  as wep has been
    proven insecure.

    Here is a  nice article on  Cisco's solution to  secure your WLAN.
    It was written in July and is very informative:

        http://www.cisco.com/warp/public/784/packet/jul01/p74-cover.html