Wireless Security
Re: creating fake APs Apr 17 2008 03:56PM
Luiz Eduardo (le atelophobia net)
Hash: SHA1

as others mentioned already, this would not only confuse the clients and
possibly the users, but also create a bunch of unecessary beacons.
Not really sure what you;re trying to accomplish overall, but I believe if
you do what Nico recommended to try to keep the signal "in" (not allowing
people w/ lower rates/ possibly and hopefully clients far away without
high-gain antennas and stuff, to associate to the network) and use
encryption, even vpn on top of the layer 2 encryption.

my rusty 2 cents

- -le

- ----- Original Message -----
From: "bLiTz" <blitztrade (at) yahoo (dot) com [email concealed]>
To: "wifisec" <wifisec (at) securityfocus (dot) com [email concealed]>; <pen-test (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, April 16, 2008 9:08 PM
Subject: creating fake APs

> Hi thanks for the earlier help. We are now in phase II of the project and
> need to build a more secure network. I had the following questions:
> 1. For this I was planning to use fakeap to create a large number of fake
> APs. But I am not able to configure fakeap after spending hours and hours
> on it. From what I understand, we need to have hostap inorder to run
> fakeap. I wasn't able to configure and install it ( I am trying to get
> this working on Ubuntu and then later if possible on OpenWRT on Linksys
> wrt 54gl) . It would be great if anybody out there could guide me or point
> me to some place where it is clearly explained how to get hostap and
> fakeap working.
> 2. If there are any other similar tools out there please let me know.
> 3. Advice on how to monitor our wireless network. Using wids? which WIDS
> would you guys suggest we use?
> -----Original Message-----
> From: bLiTz [mailto:blitztrade (at) yahoo (dot) com [email concealed]]
> Sent: Wednesday, April 02, 2008 1:47 PM
> To: Nico Darrow
> Subject: Re: Help for wireless penetration testing game/competition
> Theywant us to break into the network in general and we get
> pointsdepending on what we do. Yes ours is not that advanced a course.
> Socould just cause DoS at all the APs. Getting the file from the
> serverwill get us the maximum points. Any idea how we could get to
> theirserver? Its running on VMWare.
> ----- Original Message ----
> From: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
> To: <blitztrade (at) yahoo (dot) com [email concealed]>; Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
> Sent: Wednesday, April 2, 2008 11:58:29 AM
> Subject: RE: Help for wireless penetration testing game/competition
> EAP-TLSwill require u to pen the client to get the certificates and
> logincredentials. If there is no server side certifcate verification then
> ucan MiTM the client and try sniffing the handshake inside the tlstunnel.
> Remember with newer EAP, the firtst handshake is always fakebut the real
> one happens inside the tunnel.
> Are u sure they want u to break the eap-TLS AP? Thats a little advanced
> for a classroom project
> -----Original Message-----
> From: <blitztrade (at) yahoo (dot) com [email concealed]>
> To: "Nico Darrow" <ndarrow (at) airdefense (dot) net [email concealed]>
> Sent: 4/2/2008 11:01 AM
> Subject: Re: Help for wireless penetration testing game/competition
> I am sorry I had to write that in a hurry and didn't really think of
> explaining in a better way. Thanks for the quick reply.
> 1.For this phase we are supposed to leave the DHCP on (the competition
> isin two phases and this network configuration is supposed to emulate
> aninsecure network. In the next phase we are allowed to make changes)
> 4. No the EAP method being used is not LEAP. I think they are using
> ----- Original Message ----
> From: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
> To:<blitztrade (at) yahoo (dot) com [email concealed]>; "pen-test (at) securityfocus (dot) com [email concealed]"
> <pen-test (at) securityfocus (dot) com [email concealed]>; wifisec <wifisec (at) securityfocus (dot) com [email concealed]>
> Sent: Wednesday, April 2, 2008 9:17:10 AM
> Subject: RE: Help for wireless penetration testing game/competition
> First of all, that was very hard to read and painful.
> Things I'd recommend.
> 1.Your open AP, enable MAC filtering, disable DHCP (set your
> clientsstatic) and change your subnet. This will prevent them from
> connectingwirelessly, if they still can plug into your AP via a hardline
> thenignore this.
> 2. WEP, easy. If you're AP has something called
> "IPisolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll
> slowthem down depending on their level.
> 3. WPA-PSK, cracking thisdoesn't require traffic, you need the WPA 4-way
> handshake that happenswith a client associates to the AP. Usually the best
> way is to DoS aclient off the AP (hard and fast). Make sure you target the
> clientspecifically and not just do a broadcast deauth, some clients
> willignore the broadcast deauth or won't be sufficient enough to force
> ahandshake.
> 4. EAP, you can bet it's going to be LEAP. Take a look atthe asleep tool
> available (google is your friend). If they've setupanything else (radius
> backend) then you'll have to do a MiTM or clientpenetration to get
> certificates and credentials.
> 5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> Sent: Tuesday, April 01, 2008 3:35 PM
> To: pen-test (at) securityfocus (dot) com [email concealed]; wifisec
> Subject: Help for wireless penetration testing game/competition
> Hi
> I am a student and am taking this course called Wirelesssecurity. Asapart
> of the course the class is divided into two teamsand we havetohack each
> other's wireless networks. It works in twophases. Ineedhelp in the first
> phase.
> We have 4 AP's :
> 1.Openaccesspoint:the opposite team's access point is in our
> team'sphysicallocation(and ours is in their location). It has DHCP
> enabledand ifneeded wecan dc it and plug our client and get on
> thierphysicalnetwork.
> 2. WEP AP: We have already cracked thier WEP key
> 3.WPAPSK: the problem with getting into this is that for the 1st
> phasethereisno traffic being generated by the other team so we can'tdeauth
> itandget the PSK.
> 4. WPA EAP - Not sure what EAP method they are running.
> Thenetworkismanaged by a Windows server 2003 running on VMWare and thereis
> aPIXfirewall and a switch. The server has two files: one hiddenand
> oneisthe open.
> So the task is now to somehow get:
> 1. Access to the AP which is not open or launch a DoS
> 2. Get to the server files or corrupt them
> WEcandothe task either wirelessly or through the wired network.
> Wewerealsoable to take one AP out of the network by ARP
> poisoningusingscapy. SoI wanted suggestions from you guys out there. I
> knowthereare loads ofmaterials out there but we don't have time. So
> anyhelpwill beappreciated.
> Thx
> ________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Version: PGP Desktop 9.8.1 (Build 2523)
Charset: iso-8859-1


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus