Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: IP address sniffable on secured connection?

  1. #1
    Junior Member Maniaxx's Avatar
    Join Date
    May 2008
    Posts
    38

    Default IP address sniffable on secured connection?

    Hi,
    is it possible that someone can sniff a secured wlan connection to achieve clients ip address without knowing wep/wpa key?

    Is it possible to fake the 'WEP' string to fool monitor tools? Maybe its hardcoded in the WLan data stream itself... i don't know.

    If i have a weak WEP encryption only and i want to harden it by choosing an exotic subnet (without DHCP) an attacker would only have to wait until i connect to the AP to achieve the valid ip-range/subnet, right?

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by Maniaxx View Post
    Hi,
    is it possible that someone can sniff a secured wlan connection to achieve clients ip address without knowing wep/wpa key?
    Check out kismet.

    Is it possible to fake the 'WEP' string to fool monitor tools? Maybe its hardcoded in the WLan data stream itself... i don't know.
    Not sure what you mean about this part, maybe it ties in with the first one but any rate have a look at kismet. It is in BT
    If i have a weak WEP encryption only and i want to harden it by choosing an exotic subnet (without DHCP) an attacker would only have to wait until i connect to the AP to achieve the valid ip-range/subnet, right?
    All wep is weak, as such there is no real way to harden it.

    Hit back if you need more help.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Member
    Join Date
    Apr 2007
    Posts
    155

    Default

    Is it possible to fake the 'WEP' string to fool monitor tools? Maybe its hardcoded in the WLan data stream itself... i don't know.
    This is what I think you are asking, is it possible to broadcast a fake WEP key while hidding the real one. Good idea (kind of but WEP can still be cracked) but doesnt exist.

    If i have a weak WEP encryption only and i want to harden it by choosing an exotic subnet (without DHCP) an attacker would only have to wait until i connect to the AP to achieve the valid ip-range/subnet, right?
    oooOOOOOooo exotic eh?! Can i come visit for vacation!?
    Do you mean you have MAC address filtering or static IP's?

    In the end you are best off with WPA (AES).
    This is a hackers forum :P
    root ~# aircrack-ng pwnd-01.cap
    Lenovo Thinkpad R500, OS: Ubuntu 8.10, BackTrack3, Windows XP (VirtualBox), Windows Vista, Windows 7 beta

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Shavx View Post
    This is what I think you are asking, is it possible to broadcast a fake WEP key while hidding the real one. Good idea (kind of but WEP can still be cracked) but doesnt exist.



    oooOOOOOooo exotic eh?! Can i come visit for vacation!?
    Do you mean you have MAC address filtering or static IP's?

    In the end you are best off with WPA (AES).
    Exotic Subnet = 202.3.227.X

    Erotic Subnet = 66.230.156.X
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Junior Member Maniaxx's Avatar
    Join Date
    May 2008
    Posts
    38

    Default

    Quote Originally Posted by archangel.amael View Post
    Check out kismet
    1) You mean i can sniff a secured connection without knowing the key to achieve the IP addresses? Lets say client is 192.168.2.1 and AP is 192.168.1.1? Isn't the ip layer encrypted already?

    2) Regarding 'WEP fake' i meant to fake the string when you sniff with airodump-ng for example. When ppl see 'WEP' they know its weak. But if i could modify the AP (linux) and my client to fake broadcast 'WPA' (even though its WEP) ppl may not try to touch my connection. I don't know how airodump picks the WEP string, either by analyzing network data or blindly by a hard coded string from flowing data. Only the latter would allow to fake it since its broadcasted by the AP/client. But if airodump analyzes the raw data and decides for itself i don't think its possible.

    3) Regarding hardening WEP i thought about choosing some exotic static addresses like 234.166.22.0/24 (without DHCP) for example. Anyone who cracks the encryption would still need to get into the subnet to talk to the AP. So, if i would not talk/connect to the AP he could only bruteforce many ranges.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Maniaxx View Post
    2) Regarding 'WEP fake' i meant to fake the string when you sniff with airodump-ng for example. When ppl see 'WEP' they know its weak. But if i could modify the AP (linux) and my client to fake broadcast 'WPA' (even though its WEP) ppl may not try to touch my connection. I don't know how airodump picks the WEP string, either by analyzing network data or blindly by a hard coded string from flowing data. Only the latter would allow to fake it since its broadcasted by the AP/client. But if airodump analyzes the raw data and decides for itself i don't think its possible.
    Even if you were able to modify it so it would broadcast the wrong encryption then your clients would have difficulty connecting because they wouldn't know how to properly connect. The packet would say one thing, but the encryption format would be another.

    Why mess around with it at all, and just use WPA. WEP cannot be secured, it's that simple.

    3) Regarding hardening WEP i thought about choosing some exotic static addresses like 234.166.22.0/24 (without DHCP) for example. Anyone who cracks the encryption would still need to get into the subnet to talk to the AP. So, if i would not talk/connect to the AP he could only bruteforce many ranges.
    What you're proposing is 'security through obscurity', and not even a good method of it at that. It is trivial to get the subnet of a network once the key is cracked.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Junior Member Maniaxx's Avatar
    Join Date
    May 2008
    Posts
    38

    Default

    Quote Originally Posted by streaker69 View Post
    your clients would have difficulty connecting because they wouldn't know how to properly connect. The packet would say one thing, but the encryption format would be another.
    That's why AP and client must be customized first. But yes, its just a theory.

    What do you mean by "It is trivial to get the subnet of a network once the key is cracked"? How do you want to figure out the subnet if no client is connected? Brute forcing is not an option.

  8. #8

    Default

    Quote Originally Posted by Maniaxx View Post

    What do you mean by "It is trivial to get the subnet of a network once the key is cracked"? How do you want to figure out the subnet if no client is connected?
    Have you ever put a packet analyzer (i.e. wireshark) on a network, even with no clients connected and looked at the traffic? A router (wireless or otherwise), as part of it's normal function, is going to send out traffic every so often (arp requests, QoS, UPnP, STP just as examples). All of these packets contain an ip address. If I did nothing else to speed up the process, if I can connect to your network, I should be able to deduce the subnet rather quickly.

  9. #9
    Junior Member Maniaxx's Avatar
    Join Date
    May 2008
    Posts
    38

    Default

    Yes, i used Wireshark already. But all it gave me in promiscuous mode were beacon frames or my fakeauth responses but nothing on IP layer. Is there anything else needed beside setting the key with iwconfig?

  10. #10
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by Maniaxx View Post
    3) Regarding hardening WEP i thought about choosing some exotic static addresses like 234.166.22.0/24 (without DHCP) for example. Anyone who cracks the encryption would still need to get into the subnet to talk to the AP. So, if i would not talk/connect to the AP he could only bruteforce many ranges.
    Ok first as everyone else including myself have pointed too WEP is insecure. There is no need to try and make it secure, that is why the engineers that designed it are no longer using it. If you want to keep playing with it go ahead. But when someone with malicious intent comes along and does something then you can only blame yourself.

    As for your question above well after one cracks your wep key they then can connect to your ap and run netdiscover or another such tool, this will tell them all they need about your network's IP addresses.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •