This was mentioned off the cuff at defcon, just quering to see if its still true

09-09-2001

there was discussion that when scanning with netstumbler, it is sending out a very static preamble message when trying to detect the AP beacon signals.

somthing like:

SCANNING WITH NETSTUMBLER VER x.x.x

it was said that those sniffing the air, could pick up this traffic when in vegas and know that someone was scanning with nestumbler in the area.

any of you guys that are sniffing activly onw, can you confirm this?

it was rumoured a russian hacker had removed this, and had thus 'stealthed' his netstumbler scanning exploits. However im thinkig you would have had to get the source to do this and since the source isnt known, how could it happen?

A keen admin could setup a wireless workstation to pick up these types of transmissions just to see how many drive by's they were having....

would prove to be quite interesting i think.

09-09-2001

Couldn't you check or remove said text using a hex editor? Shouldn't be holy difficult to check for. I would do it, but I don't have a hex editor and well, I hate downloading sh*t.

Anyone else think it would be slick to have a 4 sale forum on here for people to trade hardware? I can imagine that there's gotta be a few elite antenna builders out there willing to trade their pringle cans for cash...

09-09-2001

Not sure about the hex editor, that may be the clue!

as for the pringle cans for cash, funny you should mention that, i got a friend who has several.... he just doesnt stop bulding them!!

bring him a pringle can and in about 20 mins he'll have you a working antenna.

interesting note on that, i have the hyperlinktech 14db 3 foot enclosed yaggi antenna, and his lil pringle cans are about 70% as effective!! probably around 10db of gain on it!

amazing stuff really. and all under 10 bucks worth of supplies!

09-09-2001

That's way cool. I just registered wirelesstrader.net and I'm going to put a bulletin board on there for buying/selling/trading wireless equipment. I personally don't like having to scour all of the various boards searching for wireless equipment, would be nice if there was one place to go. I'll have the page up as soon as the registration goes through. I'll let you all know when that is. I'll put up a link in the hardware section too.

09-10-2001

The source does not have to be known in ordre to remove the preamble, if a hex-editor doesn't work, sice or windbg might work also...

stou

09-10-2001

I got off my lazy ass, downloaded a hex editor and didn't find any questionable scanning strings. So I don't believe that it sends out that string... Perhaps earlier revisions had that string, but .3 does not, from what I can tell.

09-11-2001

If you have version 0.3.22 or later, you can disable this feature by unchecking the "Options -> Get AP Names" menu item.

When NS is sending these packets out, it is hoping for a response from the AP. Version 0.3.22 only sends out a limited number of these, and doesn't bother on APs from manufacturers that are known not to work (eg Cisco).

I know those guys (they were German, not Russian, I heard) wanted to prove how l33t they were, but they never bothered to ask me about it. When I want to change how NS works, I don't have to use a disassembler and hex editor, so it takes me a lot less time :-)

09-09-2001	#1 (permalink)
Posts: n/a	This was mentioned off the cuff at defcon, just quering to see if its still true there was discussion that when scanning with netstumbler, it is sending out a very static preamble message when trying to detect the AP beacon signals. somthing like: SCANNING WITH NETSTUMBLER VER x.x.x it was said that those sniffing the air, could pick up this traffic when in vegas and know that someone was scanning with nestumbler in the area. any of you guys that are sniffing activly onw, can you confirm this? it was rumoured a russian hacker had removed this, and had thus 'stealthed' his netstumbler scanning exploits. However im thinkig you would have had to get the source to do this and since the source isnt known, how could it happen? A keen admin could setup a wireless workstation to pick up these types of transmissions just to see how many drive by's they were having.... would prove to be quite interesting i think.

09-09-2001	#2 (permalink)
Posts: n/a	... Couldn't you check or remove said text using a hex editor? Shouldn't be holy difficult to check for. I would do it, but I don't have a hex editor and well, I hate downloading sh*t. Anyone else think it would be slick to have a 4 sale forum on here for people to trade hardware? I can imagine that there's gotta be a few elite antenna builders out there willing to trade their pringle cans for cash...

09-09-2001	#4 (permalink)
Posts: n/a	New portal. That's way cool. I just registered wirelesstrader.net and I'm going to put a bulletin board on there for buying/selling/trading wireless equipment. I personally don't like having to scour all of the various boards searching for wireless equipment, would be nice if there was one place to go. I'll have the page up as soon as the registration goes through. I'll let you all know when that is. I'll put up a link in the hardware section too.

09-10-2001	#6 (permalink)
Posts: n/a	Ok, ok. I got off my lazy ass, downloaded a hex editor and didn't find any questionable scanning strings. So I don't believe that it sends out that string... Perhaps earlier revisions had that string, but .3 does not, from what I can tell.

09-11-2001	#7 (permalink)
Posts: n/a	Here's what you need to know about this If you have version 0.3.22 or later, you can disable this feature by unchecking the "Options -> Get AP Names" menu item. When NS is sending these packets out, it is hoping for a response from the AP. Version 0.3.22 only sends out a limited number of these, and doesn't bother on APs from manufacturers that are known not to work (eg Cisco). I know those guys (they were German, not Russian, I heard) wanted to prove how l33t they were, but they never bothered to ask me about it. When I want to change how NS works, I don't have to use a disassembler and hex editor, so it takes me a lot less time :-)

09-09-2001	#3 (permalink)
Posts: n/a	Not sure about the hex editor, that may be the clue! as for the pringle cans for cash, funny you should mention that, i got a friend who has several.... he just doesnt stop bulding them!! bring him a pringle can and in about 20 mins he'll have you a working antenna. interesting note on that, i have the hyperlinktech 14db 3 foot enclosed yaggi antenna, and his lil pringle cans are about 70% as effective!! probably around 10db of gain on it! amazing stuff really. and all under 10 bucks worth of supplies!

09-10-2001	#5 (permalink)
Posts: n/a	The source does not have to be known in ordre to remove the preamble, if a hex-editor doesn't work, sice or windbg might work also... stou

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode