[kismac] Re: weak IVs
- From: Lasse Jespersen <l.j@xxxxx>
- To: kismac@xxxxxxxxxxxxx
- Date: Mon, 12 Jul 2004 21:33:59 +0200
It was all the weak packets in a relatively idle network with some 10
clients, over the course of approx 24 hours, kismac version 0.12a.
On 12. jul 2004, at 16:50, Brad Knowles wrote:
At 4:28 PM +0200 2004-07-12, Lasse Jespersen wrote:
Thanks for this information.. I already saw weplab, but I havent used
it yet. I understand you generated a lot of traffic to get this many
packets? I generated only some 8000 in about 24 hours.
Are these just the weak IVs, or all packets in total? IVs are
rotated frequently enough that I'd be surprised if a totally idle
network didn't generate more than 8000 packets in a 24-hour period of
time.
At that
rate, it
would take me 6 months, and I dont have any means of generating
traffic
on the network.
There's lots of ways to cause traffic to be generated, even if you're
not on the network in question.
You could generate de-authenticate packets for spoofed MAC addresses,
which would force the client to re-authenticate. If the AP is not
closed to unknown MACs, you could do this for randomly generated MACs
instead of the real ones you see (less chance of people noticing that
they're getting knocked off the network frequently). If the AP is
publicly visible, all you have to do is generate probe packets, which
could come from spoofed addresses (making it less likely that they'd
be able to be traced back to you).
Your worst case scenario is if the AP is not advertised, closed to
unknown MACs, and WPA/802.11x protected (as opposed to plain WEP), in
which case you have to spoof the MACs that you see. Even then, you
could inject random garbage from those MACs, and you should see lots
of reply packets from the AP(s) in question.
The problem with generating active traffic versus doing pure passive
sniffing is that they might have wireless network monitoring systems
that could detect your radio transmission fingerprint (thus
identifying the manufacturer of your chipset and perhaps the specific
version of the chipset and possibly the firmware version, which might
tell them what brand, model and serial number range you have for your
equipment), and potentially being able to triangulate your position
based on the time delay and signal strength seen by multiple
monitoring stations (the same way that mobile phone networks locate
your position).
--
Brad Knowles, <brad.knowles@xxxxxxxxx>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
- References:
- [kismac] weak IVs
- From: Lasse Jespersen
- [kismac] Re: weak IVs
- From: Michael Rossberg
- [kismac] Re: weak IVs
- From: Lasse Jespersen
- [kismac] Re: weak IVs
- From: Erik Winkler
- [kismac] Re: weak IVs
- From: Lasse Jespersen
- [kismac] Re: weak IVs
- From: Brad Knowles
Other related posts:
At 4:28 PM +0200 2004-07-12, Lasse Jespersen wrote:
Thanks for this information.. I already saw weplab, but I havent used it yet. I understand you generated a lot of traffic to get this many packets? I generated only some 8000 in about 24 hours.
Are these just the weak IVs, or all packets in total? IVs are rotated frequently enough that I'd be surprised if a totally idle network didn't generate more than 8000 packets in a 24-hour period of time.
At that rate, it
would take me 6 months, and I dont have any means of generating traffic
on the network.
There's lots of ways to cause traffic to be generated, even if you're not on the network in question.
You could generate de-authenticate packets for spoofed MAC addresses, which would force the client to re-authenticate. If the AP is not closed to unknown MACs, you could do this for randomly generated MACs instead of the real ones you see (less chance of people noticing that they're getting knocked off the network frequently). If the AP is publicly visible, all you have to do is generate probe packets, which could come from spoofed addresses (making it less likely that they'd be able to be traced back to you).
Your worst case scenario is if the AP is not advertised, closed to unknown MACs, and WPA/802.11x protected (as opposed to plain WEP), in which case you have to spoof the MACs that you see. Even then, you could inject random garbage from those MACs, and you should see lots of reply packets from the AP(s) in question.
The problem with generating active traffic versus doing pure passive sniffing is that they might have wireless network monitoring systems that could detect your radio transmission fingerprint (thus identifying the manufacturer of your chipset and perhaps the specific version of the chipset and possibly the firmware version, which might tell them what brand, model and serial number range you have for your equipment), and potentially being able to triangulate your position based on the time delay and signal strength seen by multiple monitoring stations (the same way that mobile phone networks locate your position).
-- Brad Knowles, <brad.knowles@xxxxxxxxx>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755SAGE member since 1995. See <http://www.sage.org/> for more info.
- [kismac] weak IVs
- From: Lasse Jespersen
- [kismac] Re: weak IVs
- From: Michael Rossberg
- [kismac] Re: weak IVs
- From: Lasse Jespersen
- [kismac] Re: weak IVs
- From: Erik Winkler
- [kismac] Re: weak IVs
- From: Lasse Jespersen
- [kismac] Re: weak IVs
- From: Brad Knowles