Security Basics mailing list archives
Re: Strange WLAN behavior
From: Adam Mooz <adam.mooz () gmail com>
Date: Wed, 31 Mar 2010 11:59:23 -0400
Depending on how the malicious AP is setup, the first two will not work at all. MAC addresses are also trivial to spoof, even automatically. Cloaking your own SSID means that one has to send out a probe for it, which can be happily answered by a rogue AP. If the rogue AP is using KARMA (or worse, Karmetasploit), it will be perfectly happy to answer as just about any mainstream service, saving all of the associated passwords and keys and forwarding the traffic on (while, of course, monitoring everything going by, and maybe even sending back other helpful things in addition to the requested information). Changing the password may work only so long as one doesn't inadvertently connect to the rogue AP again.
The point is to make this as difficult as possible to prevent just the scenario you've outlined; them getting back into your AP after theirs goes down. If you change your password, cloak the SSID, and use MAC address filtering this may push the rogue into exploring the other networks in the area and ignoring yours, if only temporarily. Short of implementing RADIUS or some other form of enterprise authentication there isn't a whole lot that can be done. ---------------------------------------------------------- Adam Mooz Blog: http://www.adammooz.com LinkedIn: http://www.linkedin.com/ln/adammooz On Tue, Mar 30, 2010 at 6:54 PM, Jarrod Frates <jfrates.ml () gmail com> wrote:
On Tue, Mar 30, 2010 at 11:58 AM, Jon Janego <jonjanego () gmail com> wrote:By default, Windows XP will probe for all the access points you've set up and you want to remove any reference to the "hijacked" AP.I believe that there was a patch that was integrated into SP3 that addressed this behavior, stopping it by default. But clearing out the wireless configuration is probably still a good idea. On Tue, Mar 30, 2010 at 10:30 AM, Adam Mooz <adam.mooz () gmail com> wrote:It sounds like there's a rogue/malicious AP hijacking your internet, I'd suggest you cloak your SSID, implement MAC address filterting, and change your password ASAP.Depending on how the malicious AP is setup, the first two will not work at all. MAC addresses are also trivial to spoof, even automatically. Cloaking your own SSID means that one has to send out a probe for it, which can be happily answered by a rogue AP. If the rogue AP is using KARMA (or worse, Karmetasploit), it will be perfectly happy to answer as just about any mainstream service, saving all of the associated passwords and keys and forwarding the traffic on (while, of course, monitoring everything going by, and maybe even sending back other helpful things in addition to the requested information). Changing the password may work only so long as one doesn't inadvertently connect to the rogue AP again. -- Jarrod Frates GAWN, GCIH, GPEN ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Strange WLAN behavior Norealenemy (Mar 30)
- Re: Strange WLAN behavior Jon Janego (Mar 30)
- Re: Strange WLAN behavior Rob Thompson (Mar 31)
- Re: Strange WLAN behavior Norealenemy (Mar 31)
- Re: Strange WLAN behavior Adam Mooz (Mar 31)
- Re: Strange WLAN behavior Norealenemy (Mar 31)
- Re: Strange WLAN behavior Rob Thompson (Mar 31)
- Re: Strange WLAN behavior Adam Mooz (Mar 30)
- Re: Strange WLAN behavior Jarrod Frates (Mar 31)
- Re: Strange WLAN behavior Adam Mooz (Mar 31)
- Re: Strange WLAN behavior Jarrod Frates (Mar 31)
- RE: Strange WLAN behavior Murda (Mar 31)
- RE: Strange WLAN behavior Norealenemy (Mar 31)
- Re: Strange WLAN behavior Jon Janego (Mar 30)