Some of the Enterprise wireless vendors have countermeasures in their products for deauth/mitm/evil twin/ and many other attacks. I don't work for the company, but I am a fan and a customer. Aruba has some really nifty features. Others do this as well, but Aruba was one of the first. http://www.arubanetworks.com/pdf/products/DS_WIP.pdf
The Aruba Instant don't require any additional infrastructure and something like the RAP-3WN can be found on Ebay for fairly cheap.
Crank up the defense settings, and your AP will literally attack back when it detects a known attack on your network. It'll frustrate the heck out of the kiddie running backtrack on your block when the tutorials he's watching on youtube on hax0ring wifi don't yield results.
WPA2 with a strong PSK should be sufficient, but if you want to take it to the next level use EAP-TLS and set up your own PKI. Make sure to validate the CA certificate so you're not susceptible to MITM attacks.
Excerpt from USAF Cyber Attack Procedures Manual [TOP SECRET]
1. Identify Target Website 2. Submit Story to Slashdot 3. Call Commander Taco on Red Phone 4. Slashdot Story on Terrorist Interwebs Published 5. Denial of Service Complete
This patch was not designed to patch a Microsoft flaw, but instead a vulnerability in nearly all implementations of DNS. So far over 100 vendors have patched their products and coordinated the release of this workaround. If zone alarm is broken because of this change they need to adjust their product to work with this change, not the other way around.
I've taken this snippet from: http://isc.sans.org/diary.html?storyid=4687 which explains things in a little more detail. Full details won't be disclosed until Blackhat in vegas this August.
The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:
who sent the response? Was it the DNS server we sent the request to? for this particular response, do we have an outstanding request? each request uses a unique and random query ID. The response has to use the same query ID. The response has to be sent to the same port from which the request was sent. Only if all this matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.
It also looks like a backend script runs to try to determine your ISP or locale and display where you connect from. The results are returned in XML from this address.
This gives them the ability to load balance the vpn service, and takes the password and authentication piece out of the hands of the user. Pretty slick if you ask me.
Hacker uses own browser to find url for nmap does wget on compromised box to nmap.org Hacker uses own browser to find url for tcpdump does wget to download tcpdump hacker does lookup of url to rootkit on packetstorm on their machine hacker wgets rootkit from shell
Chances are that if there are matching ip addresses in all 3 logs to separate sites in a short span of time that that person is responsible. Not listing the parent pieces of the website to find the download link is another clue.....
If you update your linksys wrt54g to the latest firmware, and use one of the many methods out there to access the wirless driver that runs on an embedded linux os you can execute/usr/sbin/wl
one of the supported commands returned is wme Set WME (Wireless Multimedia Extensions) mode (0=off, 1=on)
I'm guessing that the included broadcom radio is the one that supports this.
Mac filtering is way less secure than wep, and requires about 30 seconds to bypass. In addition your data is all transmitted in plain text when you don't use wep. The only thing mac filtering will prevent is random clients from associating (who don't have the tools needed to sniff the mac out of the airwaves, change their mac, then associate.)
1. You can still see the data in the air, unencrypted when mac filtering is used. (kismet will do this for example...)
2. The mac address is transmitted in plain text along with the data. Picking the mac out of the air is easy.
You allready pretty much summed it up. You don't trust your children.
If you want to If instill Big Brother. You could always install a product like spector pro on the pc's and review their actions on a daily basis.
Let them know that it's on there, and that they have no privacy and they'll be sure to behave.
Then again, you could just trust them. And let them actually confide in you without fear of being punished for every little thing.
An example: (Would you rather have your kid (1)call you "I'm too drunk to drive home" from a party, or (2)Try to drive home drunk afraid that if they didn't Mom and Dad would know they were drinking.)
Slashdot Works For US Government - Stopping Terror
on
United Nuclear
·
· Score: 5, Funny
Recent conversation between CMDR Taco and Donald Rumsfield.
Rumsfield: Hey CMDR Taco, there's this website we need to take down that sells nuclear supplies. We think that terrorists might be using them to build weapons of mass destruction.
Taco: No problem, i'll have a slashdot story posted immediateley. It should stop the website dead in it's tracks until we can permanently shut them down.
Rumsfield: Excellent, thank you for protecting our country.
Hello, I am your seeing eye monkey from bonzai buddy, I can help you read the text off of the screen that you need to register for your e-mail account.
Would you like to.
1. have the selection recognized with ocr, and read to you. 2. send your personal information to us, along with the new e-mail account so we can send it to spammers. 3. Profit!@!@ (except in soviet russia where the OCR owns us)
Where are the terrorists when you need them. And why don't they declare jihad and bomb sco.
I might get moderated down for this, but this is a holy war. They're attacking our HOLY ground. And something drastic needs to be done to stop the crap that sco is pulling.
I think that if anything, the biggest kicks I get out of wardriving is generating maps of my results.
(I do like plugging my map - shameless self promotion I guess)
While I never connect to networks, it would be nice to know that if I ever did need to access one that I wouldn't have to worry about going to jail over it. Props to the government on this one.
I'm not sure if they still do it, but Blockbuster video was offering a "DVD Freedom Pass" for $19.99 a month for a while. The pass is valid for 30 days and allows you 2 DVDs checked out at a time and you can return them and rent more anytime you want.
So why would you rely on mailorder, when you can get the same deal locally? And not have to deal with netflix availability problems. It sounds to me almost as if they did this to compete directly with netflix, or perhaps they were afraid of losing market share to all you can rent mailorder rental places.
Imagine the looks of coworkers as they pass your cubicle, to see a grill cooking a steak, that is plugged into your usb port!! The smell drifting across the office. The look the CIO would give you.
Maybe we can still get one.... Anybody know of a USB power inverter, I could hook up my normal george foreman, and use electrical tape to make it look authentic.
I may want to mention that I also use higher powered wireless cards with 200mW power output manufactured by senao. They have the second best sensitivity on the market. You can buy them at netgate.com They cost about 100 a pop. You can get a better card from demarctec, but they are like $160 usd. Too expensive for my taste.
I would suggest finding a yagi or panel style antenna with a wide enough radiation pattern to cover your house and hooking it up pointing so it covers the entire house. I know that you can hook it up to antenna connector on the linksys routers.
Personally I have a 16DB Andrew Panel antenna on one end of my apartment. I am able to go through 3 apartment buildings and get a link with this setup. A Homebrew cantenna may actually work better.
You can get a cable made to convert a SMA conenctor, found on the linksys routers to a N connector, and hook it up to the antenna of your choice.
I know you can buy premade linksys connectors here Their cantenna would probably work to cover your whole house if it is elongated as well; however I have never used their equipment so I would not know for sure.
If you want more info, or ideas contact me. rusty@NOSPAMdestroymicrosoft.org (minus the nospam)
I firmly believe that we'll eventually get our 100 gig cdroms, or the equivelant.
But before it happens the industry standard video disc, (whatever name they give it) will have 2048x1600+ resolution and the quality will require a 100 gig disc to fit a single movie.
Slashdot Mirror
Some of the Enterprise wireless vendors have countermeasures in their products for deauth/mitm/evil twin/ and many other attacks.
I don't work for the company, but I am a fan and a customer. Aruba has some really nifty features. Others do this as well, but Aruba was one of the first.
http://www.arubanetworks.com/pdf/products/DS_WIP.pdf
The Aruba Instant don't require any additional infrastructure and something like the RAP-3WN can be found on Ebay for fairly cheap.
Crank up the defense settings, and your AP will literally attack back when it detects a known attack on your network.
It'll frustrate the heck out of the kiddie running backtrack on your block when the tutorials he's watching on youtube on hax0ring wifi don't yield results.
WPA2 with a strong PSK should be sufficient, but if you want to take it to the next level use EAP-TLS and set up your own PKI. Make sure to validate the CA certificate so you're not susceptible to MITM attacks.
I wonder if they were using "off the shelf" open source tools to collect this information.
By default Kismet will log the pcap file, gps log, alerts, and network log in XML and plaintext.
http://www.kismetwireless.net/documentation.shtml
It is entirely possible that they were using off the shelf open source tools and this log type was simply not turned off in the configuration file.
Excerpt from USAF Cyber Attack Procedures Manual [TOP SECRET]
1. Identify Target Website
2. Submit Story to Slashdot
3. Call Commander Taco on Red Phone
4. Slashdot Story on Terrorist Interwebs Published
5. Denial of Service Complete
This patch was not designed to patch a Microsoft flaw, but instead a vulnerability in nearly all implementations of DNS. So far over 100 vendors have patched their products and coordinated the release of this workaround. If zone alarm is broken because of this change they need to adjust their product to work with this change, not the other way around.
I've taken this snippet from: http://isc.sans.org/diary.html?storyid=4687 which explains things in a little more detail. Full details won't be disclosed until Blackhat in vegas this August.
The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:
who sent the response? Was it the DNS server we sent the request to?
for this particular response, do we have an outstanding request?
each request uses a unique and random query ID. The response has to use the same query ID.
The response has to be sent to the same port from which the request was sent.
Only if all this matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.
Basically it's a pptp vpn connection that dynamically retrieves an IP address to connect to, userid and password via a SSL HTTP connection.
T he results are returned in XML like this.
1 2I64x&fmt=xml&_k=%08x
The client will contact this url via ssl.
https://vpn.google.com/getpass/?_k=%08x
<?xml version="1.0" encoding="utf-8" ?>
- <vpn>
- <auth>
<server>xx.xx.xx.xx</server>
<user>9129999999</user>
<pass>AqVnTzASdCkl8v</pass>
</auth>
</vpn>
It also looks like a backend script runs to try to determine your ISP or locale and display where you connect from. The results are returned in XML from this address.
https://wifi.google.com/welcome?ap=%0
This gives them the ability to load balance the vpn service, and takes the password and authentication piece out of the hands of the user. Pretty slick if you ask me.
With a linksys wrt54g and this new "beta" firmware (linksys release, not 3rd party) you can have wpa2 right now.n d_router/WRT54G_WRT54GS/WRT54GWRT54GSBeta_Firmware _for_Wireless_Transfer_Issues/
ftp://ftp.linksys.com/sg/support/download/broadba
You'll need to have a card that supports wpa2 in the drivers as well. There are a few out there.
Think about it.
Hacker uses own browser to find url for nmap
does wget on compromised box to nmap.org
Hacker uses own browser to find url for tcpdump
does wget to download tcpdump
hacker does lookup of url to rootkit on packetstorm on their machine
hacker wgets rootkit from shell
Chances are that if there are matching ip addresses in all 3 logs to separate sites in a short span of time that that person is responsible. Not listing the parent pieces of the website to find the download link is another clue.....
If you update your linksys wrt54g to the latest firmware, and use one of the many methods out there to access the wirless driver that runs on an embedded linux os you can execute /usr/sbin/wl
one of the supported commands returned is
wme Set WME (Wireless Multimedia Extensions) mode (0=off, 1=on)
I'm guessing that the included broadcom radio is the one that supports this.
Mac filtering is way less secure than wep, and requires about 30 seconds to bypass. In addition your data is all transmitted in plain text when you don't use wep. The only thing mac filtering will prevent is random clients from associating (who don't have the tools needed to sniff the mac out of the airwaves, change their mac, then associate.)
1. You can still see the data in the air, unencrypted when mac filtering is used.
(kismet will do this for example...)
2. The mac address is transmitted in plain text along with the data. Picking the mac out of the air is easy.
You allready pretty much summed it up.
You don't trust your children.
If you want to If instill Big Brother.
You could always install a product like spector pro on the pc's and review their actions on a daily basis.
Let them know that it's on there, and that they have no privacy and they'll be sure to behave.
Then again, you could just trust them. And let them actually confide in you without fear of being punished for every little thing.
An example:
(Would you rather have your kid
(1)call you "I'm too drunk to drive home" from a party,
or
(2)Try to drive home drunk afraid that if they didn't Mom and Dad would know they were drinking.)
.
Quick: Delete the logs!@)@)!
Recent conversation between CMDR Taco and Donald Rumsfield.
Rumsfield: Hey CMDR Taco, there's this website we need to take down that sells nuclear supplies. We think that terrorists might be using them to build weapons of mass destruction.
Taco: No problem, i'll have a slashdot story posted immediateley. It should stop the website dead in it's tracks until we can permanently shut them down.
Rumsfield: Excellent, thank you for protecting our country.
I agree,
Good correction.
Hello, I am your seeing eye monkey from bonzai buddy, I can help you read the text off of the screen that you need to register for your e-mail account.
Would you like to.
1. have the selection recognized with ocr, and read to you.
2. send your personal information to us, along with the new e-mail account so we can send it to spammers.
3. Profit!@!@
(except in soviet russia where the OCR owns us)
Ok, it's a geforce MX, but heck...... it's close enough and has more cpu / ram / hd than a xbox for the same price.
$59 - Nforce Board - Has onboard 5.1 Sound/ Network / Geforce Graphics - Pricewatch.com
$30 - Athlon 1.1ghz - Pricewatch.com
$13 - PC2100 DDR 128MB - Pricewatch.com
$48 - 40GB Drive - Pricewatch.com
$151 and all we need is a Power supply. I know of a lot of cheap power supplies for less than the remainder.
Where are the terrorists when you need them.
And why don't they declare jihad and bomb sco.
I might get moderated down for this, but this is a holy war. They're attacking our HOLY ground. And something drastic needs to be done to stop the crap that sco is pulling.
I do a bit of wardriving myself.
I think that if anything, the biggest kicks I get out of wardriving is generating maps of my results.
(I do like plugging my map - shameless self promotion I guess)
While I never connect to networks, it would be nice to know that if I ever did need to access one that I wouldn't have to worry about going to jail over it. Props to the government on this one.
I'm not sure if they still do it, but Blockbuster video was offering a "DVD Freedom Pass" for $19.99 a month for a while. The pass is valid for 30 days and allows you 2 DVDs checked out at a time and you can return them and rent more anytime you want.
So why would you rely on mailorder, when you can get the same deal locally? And not have to deal with netflix availability problems. It sounds to me almost as if they did this to compete directly with netflix, or perhaps they were afraid of losing market share to all you can rent mailorder rental places.
quote: "It also appears that the only lifeforms not using DNA for code storage are a few viruses like the common cold."
Does that mean that NT admins considered a virus since they use hard drives for code storage, opposed to DNA.
Imagine the looks of coworkers as they pass your cubicle, to see a grill cooking a steak, that is plugged into your usb port!! The smell drifting across the office. The look the CIO would give you.
Maybe we can still get one.... Anybody know of a USB power inverter, I could hook up my normal george foreman, and use electrical tape to make it look authentic.
The speed increase will be offset by the length of time it takes to type the url.
x xx
Hypertext Transfer Protocol
http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
versus
Order-based Deadlock Prevention Protocol with Parallel Requests
obdppwpr://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
First Stroke!
Actually, I might have a stroke after I see how bad I get modded down for this comment....
I may want to mention that I also use higher powered wireless cards with 200mW power output manufactured by senao. They have the second best sensitivity on the market. You can buy them at netgate.com
They cost about 100 a pop. You can get a better card from demarctec, but they are like $160 usd. Too expensive for my taste.
I would suggest finding a yagi or panel style antenna with a wide enough radiation pattern to cover your house and hooking it up pointing so it covers the entire house. I know that you can hook it up to antenna connector on the linksys routers.
Personally I have a 16DB Andrew Panel antenna on one end of my apartment. I am able to go through 3 apartment buildings and get a link with this setup. A Homebrew cantenna may actually work better.
You can get a cable made to convert a SMA conenctor, found on the linksys routers to a N connector, and hook it up to the antenna of your choice.
I know you can buy premade linksys connectors here Their cantenna would probably work to cover your whole house if it is elongated as well; however I have never used their equipment so I would not know for sure.
If you want more info, or ideas contact me. rusty@NOSPAMdestroymicrosoft.org (minus the nospam)
-Rusty
I firmly believe that we'll eventually get our 100 gig cdroms, or the equivelant.
But before it happens the industry standard video disc, (whatever name they give it) will have 2048x1600+ resolution and the quality will require a 100 gig disc to fit a single movie.