Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Weaknesses in WLAN Session Containment

from [Joshua Wright] Network Security [Permanent Link]
Subject: Weaknesses in WLAN Session Containment
Date: Thu, 23 Jun 2005 10:26:06 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While evaluating several overlan WLAN IDS products for a Network
Computing product review, I had the opportunity to examine different
vendor's implementations of WLAN session containment.  WLAN session
containment is very similar to persistent session sniping on
traditional wired IDS products, attempting to prevent a station from
connecting to a protected access point.

Traffic analysis for each vendor demonstrated unique characteristics
in how WLAN IDS products implement session containment, making it
possible to fingerprint the WLAN IDS system in use.  This is
especially advantageous to an attacker, as there is a significant
discrepancy in the number of attacks that each WLAN IDS product can
detect.  A chart indicating the attacks I used and how vendors
responded is available at
http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164
302965

I also discovered that at least one vendor's attempt to contain a
session could be bypassed by modifying wireless drivers to ignore
deauthenticate and disassociate frames altogether.  A patch for the
Linux MADWIFI drivers is included in the full text of the article,
available at
http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf.

Comments welcome, thanks.

- -Josh
- --
- -Joshua Wright
jwright@hasborg.com
http://802.11ninja.net

pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Today I stumbled across the world's largest hotspot.  The SSID is
"linksys".

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQrrGFo/i/ArUS0pzEQL6gwCgrFy1GERI/WHmwpdPBkYrjjcACEQAn3oT
ep4IL9bFREx201aS0AD+Uotm
=VCKN
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Weaknesses in WLAN Session Containment, Joshua Wright <=
Previous by Date:  New release of the Auditor Security Collection available at http://www.remote-exploit.org, Max Moser
Next by Date:  Remote Command Execution Exploit for Cacti <= 0.8.6d, Alberto Trivero
Previous by Thread:  New release of the Auditor Security Collection available at http://www.remote-exploit.org, Max Moser
Next by Thread:  Remote Command Execution Exploit for Cacti <= 0.8.6d, Alberto Trivero
Indexes:  [Date] [Thread] [Top] [All Lists]