Wireless Security
Dictionary based AP probes Oct 11 2009 09:54PM
Rob Fuller (jd mubix gmail com) (3 replies)
Re: Dictionary based AP probes Oct 12 2009 02:40PM
Jon Janego (jonjanego gmail com) (1 replies)
Re: Dictionary based AP probes Oct 12 2009 05:29PM
Rob Fuller (jd mubix gmail com) (2 replies)
Re: Dictionary based AP probes Oct 12 2009 10:43PM
Carl Vincent (carl vincent hypermediasystems com)
Re: Dictionary based AP probes Oct 12 2009 09:22PM
Mike Kershaw (dragorn kismetwireless net) (1 replies)
Re: Dictionary based AP probes Oct 12 2009 10:38PM
Rob Fuller (jd mubix gmail com)
I apologize, the "days" fact is what I was missing. As I had never
done so, I was unaware of how long it would take, I was assuming
seconds/minutes to toss a couple thousand probes out and have Kismet
or AirMon catch the one that stuck. As I initially stated, I have
little knowledge of the inner workings of 802.11.

re: your example: I think you might have mis-read my example, I was
speaking speaking of a 'client' AP that would most likely be something
in a dictionary, especially one based on the top names from WiGGle or
one extracted using Robin Wood's CeWL tool. Not trying to find an AP
that some attacker hid.

Thanks for the info, I'll do some testing with MDK3 some time this
week and post how it goes.

--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com

On Mon, Oct 12, 2009 at 5:22 PM, Mike Kershaw
<dragorn (at) kismetwireless (dot) net [email concealed]> wrote:
> On Mon, Oct 12, 2009 at 01:29:52PM -0400, Rob Fuller wrote:
>> Thanks everyone who has responded, I will definitely be checking out
>> MDK3 in the not so distant future. I do have one question though, a
>> bunch of you have said that doing this isn't really useful or
>> practical. I'm wondering why? If I'm doing a PenTest when there isn't
>> any hosts connected to the client's wifi AP and it's 'cloaked', I
>> could be missing an attack vector. I'm probably missing something so
>> please let me know if I've overlooked something.
>
> If you think an attacker who put a hidden AP in your network is going to
> leave it as a dictionary word, well... have fun then.  I don't think
> it's a possibility that warrants the DAYS of replaying dictionary files.
> It simply is not a realistic situation.
>
> If you think you're going to brute force the SSID without a dictionary,
> then you're wrong.  32 characters, nothing technically forbidden from
> use in a SSID, 2^256 possibilities.
>
> -m
>
> --
> Mike Kershaw/Dragorn <dragorn (at) kismetwireless (dot) net [email concealed]>
> GPG Fingerprint: 3546 89DF 3C9D ED80 3381  A661 D7B2 8822 738B BDB1
>
> There's too much blood in my caffeine system!
>

[ reply ]
Re: Dictionary based AP probes Oct 12 2009 08:10AM
Robin Wood (dninja gmail com) (1 replies)
Re: Dictionary based AP probes Oct 12 2009 02:34PM
Joshua Wright (jwright hasborg com)
Re: Dictionary based AP probes Oct 12 2009 04:37AM
Mike Kershaw (dragorn kismetwireless net)


 

Privacy Statement
Copyright 2010, SecurityFocus