|
|
|||||||
| Register | Search | Today's Posts | Mark Forums Read |
 |
|
|
LinkBack | Thread Tools | Display Modes |
08-12-2001
|
#1 (permalink) |
|
Posts: n/a
|
"Closed" AP security
I just checked my own AP and found it is a "closed" AP, i.e. it doesn't respond to the broadcast probes that Net Stumbler sends out.
So obviously there is no way to find my AP using Net Stumbler. Are there other known ways to find my AP (without knowing the exact SSID)? Or does this security feature make me reasonably safe from attacks? |
|
|
08-13-2001
|
#3 (permalink) |
|
Posts: n/a
|
Yes, I'm sure...
My 3Com AirConnect AP has a setting called "Accept Broadcast Wireless LAN Service Area" which I have set to "Disabled".
In this mode, Net Stumbler does not find the AP. If the option is set to "Enabled", Net Stumbler finds and lists the AP. My question is now if this makes me reasonably safe or if there are other ways of detecting WLAN traffic. |
|
|
|
08-13-2001
|
#4 (permalink) |
|
Posts: n/a
|
Beacons...
The feature you describe is mostly referred to as "Beacons". The way I understand it is, the AP sends out beacons to announce its presence... this allows cards such as Lucent, to be set in SSID "ANY" mode so it will grab the nearest it can find. Turning off beacons on the AP, is commonly referred to "CLosed Wireless System" or something similar. I turn off beacons on all my AP's, to prevent guys like me from finding them. :-) I also tried discovering useful info from my AP's while beaconing is off... and failed. It appears that my card won't pass packets to the laptop unless it feels that it is associated with an AP... and without my SSID it sits in "duh, I'm searching and/or out of range" mode... Perhaps someone knows how to make the thing pass all radio packets it receives even without even being associated with an AP...
|
|
|
|
09-11-2001
|
#5 (permalink) |
|
Posts: n/a
|
You're not safe for long...
Yes, your network is safe from people using NetStumbler. But people with Linux can get wlantools, which includes a handy tool called wlanwatch.
http://www.sublimation.org/security/localarchive/802.11/ It shows all frames coming from your AP. And your ESSID is *not* hidden there. The only problem is that wlantools does *not* scan all channels, so i had to write a little script that cycles through them. i need to figure out how to get the channel, timestamp, and maybe even GPS info into the log, and to eliminate some of the extra stuff that i don't need. (wlanwatch actually dumps out a *lot* of info, as it puts your wireless card into "promiscuous" mode, where it listens to everything.) BTW, it doesn't work with the Lucent/Orinoco/Agere Wavelan cards. It works with cards that use the Prism2 chipset, like the Linksys, SMC, D-Link, Compaq, and more. |
|
|
|
09-13-2001
|
#6 (permalink) |
|
Posts: n/a
|
I'm not setup to test with Linux yet, can you please post a cutting from a packet where the ESSID of a "closed" network is diplayed? I've been working with Airopeek and one manufacture's AP. This AP operates as a closed network by default, and when I look at the 802.11b packets in Airopeek I cannot see the ESSID.
|
|
|
|
09-15-2001
|
#7 (permalink) |
|
Posts: n/a
|
Here's what I've found
Beacons and probe broadcasts are actually somewhat different.
All APs must send out beacons, otherwise their clients don't know how to do collision avoidance. However an AP in closed mode may send out beacons with the SSID modified slightly - the Lucent ones replace the real one with a single space, the Cisco ones replace it with as many nulls as there were characters in the original. Most other manufacturers seem to still send out the original SSID. The thing that stops NS from seeing them is that they don't respond to broadcast probes. I'm working on getting the beacon packets so that NS can display what it sees there too - if I can get it to work then we can stop sending out probes, and NS can run passively. |
|
|
Linear Mode
