Joshua Wright
23/06/05, 17:25
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While evaluating several overlan WLAN IDS products for a Network
Computing product review, I had the opportunity to examine different
vendor's implementations of WLAN session containment. WLAN session
containment is very similar to persistent session sniping on
traditional wired IDS products, attempting to prevent a station from
connecting to a protected access point.
Traffic analysis for each vendor demonstrated unique characteristics
in how WLAN IDS products implement session containment, making it
possible to fingerprint the WLAN IDS system in use. This is
especially advantageous to an attacker, as there is a significant
discrepancy in the number of attacks that each WLAN IDS product can
detect. A chart indicating the attacks I used and how vendors
responded is available at
http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164
302965
I also discovered that at least one vendor's attempt to contain a
session could be bypassed by modifying wireless drivers to ignore
deauthenticate and disassociate frames altogether. A patch for the
Linux MADWIFI drivers is included in the full text of the article,
available at
http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf.
Comments welcome, thanks.
- -Josh
- --
- -Joshua Wright
jwright@hasborg.com
http://802.11ninja.net
pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot. The SSID is
"linksys".
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQrrGFo/i/ArUS0pzEQL6gwCgrFy1GERI/WHmwpdPBkYrjjcACEQAn3oT
ep4IL9bFREx201aS0AD+Uotm
=VCKN
-----END PGP SIGNATURE-----
Hash: SHA1
While evaluating several overlan WLAN IDS products for a Network
Computing product review, I had the opportunity to examine different
vendor's implementations of WLAN session containment. WLAN session
containment is very similar to persistent session sniping on
traditional wired IDS products, attempting to prevent a station from
connecting to a protected access point.
Traffic analysis for each vendor demonstrated unique characteristics
in how WLAN IDS products implement session containment, making it
possible to fingerprint the WLAN IDS system in use. This is
especially advantageous to an attacker, as there is a significant
discrepancy in the number of attacks that each WLAN IDS product can
detect. A chart indicating the attacks I used and how vendors
responded is available at
http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164
302965
I also discovered that at least one vendor's attempt to contain a
session could be bypassed by modifying wireless drivers to ignore
deauthenticate and disassociate frames altogether. A patch for the
Linux MADWIFI drivers is included in the full text of the article,
available at
http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf.
Comments welcome, thanks.
- -Josh
- --
- -Joshua Wright
jwright@hasborg.com
http://802.11ninja.net
pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot. The SSID is
"linksys".
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQrrGFo/i/ArUS0pzEQL6gwCgrFy1GERI/WHmwpdPBkYrjjcACEQAn3oT
ep4IL9bFREx201aS0AD+Uotm
=VCKN
-----END PGP SIGNATURE-----