AirSnare v. 0.5.7 is out. - Page 2

DigitalMDX · 09-10-2002

Quote:

Originally posted by Grey Wolf
...Hmm Jay it seems to me, that it would be nice to start up AirSnare, and have the ability to add the MAC address it finds to the friendly list. ...

I like it... good idea... sort of an auto-add/config to build your friendly MAC list...
-Jay

WitchDr · 09-11-2002

My plan is to set up my Lucent RG in the office connected to nothing(or maybe a honeypot 2K server). The problem is that if an auditor were to discover the AP, they may not dig. That means some idiot would write in his audit findings that an AP was discovered on our floor, etc. Most of the auditors out there are the big 5 types who usually staff the teams with some kids fresh out of college and a month of school. They know enough to get by and that's about it. I've yet to come across an auditor that was really thorough(and we get audited a lot).

It's a pretty neat proggie though

Grey Wolf · 09-12-2002

Quote:

Originally posted by WitchDr
My plan is to set up my Lucent RG in the office connected to nothing(or maybe a honeypot 2K server). The problem is that if an auditor were to discover the AP, they may not dig. That means some idiot would write in his audit findings that an AP was discovered on our floor, etc. Most of the auditors out there are the big 5 types who usually staff the teams with some kids fresh out of college and a month of school. They know enough to get by and that's about it. I've yet to come across an auditor that was really thorough(and we get audited a lot).

It's a pretty neat proggie though

Ok this may only show how dumb I am, but I've got to ask this. If you setup an RG, without connecting it to anything, or to a honeypot. I would think that they should report it, but if it was not connected to any thing, that should also be reported to. Shouldn't it? I've never seen a security audit, but if they are willing to pay some one to rome around your building who doesn't know more than how to run netstumbler. Can you send me an employment form?

Please. Or is it a case of the people getting the report, not understanding what they are getting?

I think if I was paying for an audit, I would have something like an unconnected RG setup some where as a test for the audit company, just to see how they report it. I would not have much faith in a company that couldn't tell an unconnected RG, from one connected to my network. But then that just might show how dumb I am, or howmuch I want.

Grey

WitchDr · 09-12-2002

You don't know these types. They report raw findings as "fact". So their Big5 training manual may say to walk around the floor with Netstumbler...if the signal is yellow or green, it's on that floor. Mark as a hit.

We just got hit because we couldn't prove that people in my group were A) qualified and B) certified. Now, I have 2 certs sitting on the wall at my cube so they probably went to HR and pulled my file which has basically nothing (well...let's hope so anyway

They didn't ask anyone for records of certification, etc. so we're not sure how they marked it as a hit. My fear is that we'll see a hit "Wireless AP detected on floor" and that'll be the end of it.

We did hire a firm 2 years ago that did a through pen-test...and they did a really good job (too good in fact

systemd0wn · 09-12-2002

aight, i took some time tonight to play around with airsnare v0.5.8
and 1 thing that may be in the works but i was curiouse about would be to Clear the list (or 1 @ a time) of the Detected Possible Unfriendly MAC's.

2. I click "tracking --> Ethereal" and when it opens its Comes with an error:
"The capture session could not be initiated (Error opening adapter: The system cannot find the file specified).
Please check that you have the proper interface specified.

Note that the driver Etherreal uses for packet capture on Windows
doesnt support capturing on PPP/WAN interfaces in Windows NT/2000"

i already had this installed so nothing ive reconfigured would mess this up would it? i dont see why? ANYWAY, its a nice product and cant wait to get my laptop so i can keep messing with this stuff

Great work!

I cant realy think of anything else @ the moment, but the more i work with it the more ill think of things im sure

DigitalMDX · 09-20-2002

An updated version of AirSnare is out now.
New in version 0.5.9:
* Reduces the amount of duplicate data in the watch window.
* Double clicking an entry in the watch window will open a browser and check for a webpage at that IP address (note: It goes to the IP not the specific site).
* Saves and loads startup settings via AirSnare.ini file.
* Option to clear unfriendly MAC list from menu selection.
* Auto saves the watch list at midnight.
* Writes unfriendly MAC list out to Auto_trustedMAC.txt to be edited into "trustedMAC.txt" to speedup adding your MAC addresses.

The AirSnare download page

Thanks,
Jay

davepc · 09-29-2002

I cannot get 0.5.9 to run. gives me an error....
"run-time error 62 - input past end of file"

Can run 0.5.7 and 0.5.8 succesfully.

Any clues?

-dave

DigitalMDX · 09-29-2002

Quote:

Originally posted by davepc
I cannot get 0.5.9 to run. gives me an error....
"run-time error 62 - input past end of file"
Can run 0.5.7 and 0.5.8 succesfully. Any clues? -dave

My guess would be the INI file. Let me look at the code and I'll get back to you. Thanks for the information.
-Jay

DigitalMDX · 09-29-2002

It looks like it would be the INI file causing that error. Here is what the "airsnare.ini" file should look like:

0 Hide MAC List
1 Scan MAC Traffic
1 Scan TCP Traffic
1 Scan UDP Traffic
1 Play WAV Alert
1 Track with AirSnare

Let me know if this fixes your problem or if you are still having a problem. I might have you e-mail me some more information. Thanks again,
Jay

Another thought. Rename your airsnare.ini file to airsnare.nin (or something) and run AirSnare. AirSnare should rebuild you a default airsnare.ini file. - Thanks.

Grey Wolf · 09-29-2002

Quote:

Originally posted by DigitalMDX
It looks like it would be the INI file causing that error. Here is what the "airsnare.ini" file should look like:

0 Hide MAC List
1 Scan MAC Traffic
1 Scan TCP Traffic
1 Scan UDP Traffic
1 Play WAV Alert
1 Track with AirSnare

Let me know if this fixes your problem or if you are still having a problem. I might have you e-mail me some more information. Thanks again,
Jay

Another thought. Rename your airsnare.ini file to airsnare.nin (or something) and run AirSnare. AirSnare should rebuild you a default airsnare.ini file. - Thanks.

Seems that when AirSnare V0.5.9 creates an ini file it is not creating the "1 Play WAV Alert" line. So the default file it creates causes this problem.

Grey

DigitalMDX · 09-29-2002

Quote:

Originally posted by Grey Wolf
Seems that when AirSnare V0.5.9 creates an ini file it is not creating the "1 Play WAV Alert" line. So the default file it creates causes this problem. Grey

Dang typos... Yes! You are correct Grey! Thank you very much!
It is fixed in version 0.6.0. That is the only enhancment to this version. Thanks guys!

The AirSnare Download Page

Grey Wolf · 09-29-2002

Jay I have enable DHCP logging, (It's really nice in this version by the way). I've got a question or two for you, should all DHCP request show up in the unfriendly MAC watch window? Src is Source? Great job as usual by the way. Any chance NSSpyGlass will get some of these updates?

Thanks
Grey

DigitalMDX · 09-29-2002

Quote:

Originally posted by Grey Wolf
I've got a question or two for you, should all DHCP request show up in the unfriendly MAC watch window? Src is Source? Great job as usual by the way. Any chance NSSpyGlass will get some of these updates? Thanks Grey

Think of the "watch" window as just that, it watches (or shows) everything. I have the seperate DHCP window to show just DHCP activity. If your tracking a MAC in the "watch" window, it's easy to miss a DHCP request as it goes by, so that is why there is a seperate window for that.
Src is Source, yes.
I don't have any plans to update NSSpyglass with any of these. However I do plan on adding your request of launching a program on an alarm, like in NSSpyglass. Thanks again for your input.
-Jay

gmiller220 · 09-29-2002

I can't seem to download the update file (0.6.0) I get the following message:

Forbidden
Your client is not allowed to access the requested object.

Do I need special permission?

DigitalMDX · 09-29-2002

Quote:

Originally posted by gmiller220
I can't seem to download the update file (0.6.0) I get the following message: Forbidden Your client is not allowed to access the requested object. Do I need special permission?

hmmmm.... you got me... The site is sitting on ATTBI's personal web pages site. Perahps ATTBI is holding a grudge against your ISP???
If you want to private message me your e-mail, I can e-mail you the exe file. Its around 100K in size.

Thanks,
Jay

09-12-2002	#20 (permalink)
systemd0wn Probematic Stumbler Join Date: Apr 2002 Location: Illinois Posts: 153	nice program aight, i took some time tonight to play around with airsnare v0.5.8 and 1 thing that may be in the works but i was curiouse about would be to Clear the list (or 1 @ a time) of the Detected Possible Unfriendly MAC's. 2. I click "tracking --> Ethereal" and when it opens its Comes with an error: "The capture session could not be initiated (Error opening adapter: The system cannot find the file specified). Please check that you have the proper interface specified. Note that the driver Etherreal uses for packet capture on Windows doesnt support capturing on PPP/WAN interfaces in Windows NT/2000" i already had this installed so nothing ive reconfigured would mess this up would it? i dont see why? ANYWAY, its a nice product and cant wait to get my laptop so i can keep messing with this stuff Great work! I cant realy think of anything else @ the moment, but the more i work with it the more ill think of things im sure __________________ Systemd0wn '311 Transistor, its a lightning resistor'

09-20-2002	#21 (permalink)
DigitalMDX Digital Stumbler Join Date: Jul 2002 Location: Pacific Northwest Posts: 236	Version 0.5.9 is out An updated version of AirSnare is out now. New in version 0.5.9: * Reduces the amount of duplicate data in the watch window. * Double clicking an entry in the watch window will open a browser and check for a webpage at that IP address (note: It goes to the IP not the specific site). * Saves and loads startup settings via AirSnare.ini file. * Option to clear unfriendly MAC list from menu selection. * Auto saves the watch list at midnight. * Writes unfriendly MAC list out to Auto_trustedMAC.txt to be edited into "trustedMAC.txt" to speedup adding your MAC addresses. The AirSnare download page Thanks, Jay

09-29-2002	#22 (permalink)
davepc "the LanBurgler?" Join Date: Jun 2002 Location: Southeastern MA / RI area Posts: 98	0.5.9 error? I cannot get 0.5.9 to run. gives me an error.... "run-time error 62 - input past end of file" Can run 0.5.7 and 0.5.8 succesfully. Any clues? -dave

09-29-2002	#27 (permalink)
Grey Wolf Registered Member Join Date: Apr 2002 Location: Cincinnati, Ohio Posts: 345	Jay I have enable DHCP logging, (It's really nice in this version by the way). I've got a question or two for you, should all DHCP request show up in the unfriendly MAC watch window? Src is Source? Great job as usual by the way. Any chance NSSpyGlass will get some of these updates? Thanks Grey __________________ ~the packets are out there~ waiting....

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

09-11-2002	#17 (permalink)
WitchDr Registered Member Join Date: Apr 2002 Posts: 46	My plan is to set up my Lucent RG in the office connected to nothing(or maybe a honeypot 2K server). The problem is that if an auditor were to discover the AP, they may not dig. That means some idiot would write in his audit findings that an AP was discovered on our floor, etc. Most of the auditors out there are the big 5 types who usually staff the teams with some kids fresh out of college and a month of school. They know enough to get by and that's about it. I've yet to come across an auditor that was really thorough(and we get audited a lot). It's a pretty neat proggie though

09-12-2002	#19 (permalink)
WitchDr Registered Member Join Date: Apr 2002 Posts: 46	You don't know these types. They report raw findings as "fact". So their Big5 training manual may say to walk around the floor with Netstumbler...if the signal is yellow or green, it's on that floor. Mark as a hit. We just got hit because we couldn't prove that people in my group were A) qualified and B) certified. Now, I have 2 certs sitting on the wall at my cube so they probably went to HR and pulled my file which has basically nothing (well...let's hope so anyway They didn't ask anyone for records of certification, etc. so we're not sure how they marked it as a hit. My fear is that we'll see a hit "Wireless AP detected on floor" and that'll be the end of it. We did hire a firm 2 years ago that did a through pen-test...and they did a really good job (too good in fact

09-29-2002	#24 (permalink)
DigitalMDX Digital Stumbler Join Date: Jul 2002 Location: Pacific Northwest Posts: 236	It looks like it would be the INI file causing that error. Here is what the "airsnare.ini" file should look like: 0 Hide MAC List 1 Scan MAC Traffic 1 Scan TCP Traffic 1 Scan UDP Traffic 1 Play WAV Alert 1 Track with AirSnare Let me know if this fixes your problem or if you are still having a problem. I might have you e-mail me some more information. Thanks again, Jay Another thought. Rename your airsnare.ini file to airsnare.nin (or something) and run AirSnare. AirSnare should rebuild you a default airsnare.ini file. - Thanks.

09-29-2002	#29 (permalink)
gmiller220 People are dumb Join Date: Aug 2002 Posts: 466	I can't seem to download the update file (0.6.0) I get the following message: Forbidden Your client is not allowed to access the requested object. Do I need special permission?