Network association and sniffing

[jivaro]

I have detected with Kismet in my wireless home network 2 MAC that do not belong to any computer in my family. I have changed from WEP encryption to WPA and now intrusion seems to be finished.

Just one question: if WEP or WPA keys are known, is it necessary to associate to an AP to sniff its traffic ? If yes, sniffing operation can be easily detected and traced. If not I realize that it may be close to impossible to detect a sniffer.

I have found different answers to this question in the net and I would greatly appreciate that somebody could give me a concise answer.

Thanks

[skor78]

There isn't really a concise answer, wep can easily be cracked and sniffed, wpa will only be possible to sniff if you have the key, to crack the key, you have to run the captured handshake against a dictionary, which depending on your password can be quite easy or very hard/impossible to get.

To better protect yourself use a wpa key with 10+ characters, and mix numbers, letters and special char... In example..

!34ckTrac<!4

Hope this helps, cheers!

[jivaro]

But the question is: if there is no unknown MAC in my network I can be sure that I'm not sniffed ? (let's forget by now MAC spoofing)

[Snayler]

if WEP or WPA keys are known, is it necessary to associate to an AP to sniff its traffic ?

No, it is not necessary to associate with an AP in order to sniff traffic. You can just use airodump to capture packets and airdecap to decrypt those packets using the known WEP/WPA key.

BTW, this attack can't capture SSL protected passwords, only plaintext passwords.

So yes, it is impossible to detect, but you can avoid this by setting up a good WPA password like skor78's advised.

[jivaro]

You can bet that I have chosen a good WPA password... I have mixed uppercase, lower case, numbers, symbols....

BTW, I don't care that anybody sniffs what I'm surfing, but I do care that anybody could get my Paypal password, the keys of my bank accounts, etc....

[skor78]

You can bet that I have chosen a good WPA password... I have mixed uppercase, lower case, numbers, symbols....

In this case you don't need to worry about anyone getting your passwords by sniffing wireless, focus instead in protecting yourself from opening SE (social engineering) emails, apps with keyloggers, etc. (which is the source of most attacks, not wifi).
Be aware of what links/apps you open from your emails/forums/blogs, use a good AV and firewall (if you're working in sh!ty windows).

[kYd420]

You can just use airodump to capture packets and airdecap to decrypt those packets using the known WEP/WPA key.

I know this is true for WEP, but I thought with WPA, even if you know the key, you would be not be able to decrypt the traffic as each user gets their own unique key derived from the actual WPA key.

?

[inrikey]

You can bet that I have chosen a good WPA password... I have mixed uppercase, lower case, numbers, symbols....

BTW, I don't care that anybody sniffs what I'm surfing, but I do care that anybody could get my Paypal password, the keys of my bank accounts, etc....

My friend if u want to be more safe u can do the MAC filter option and hide your broadcasting wifi and the last 1 u can do the ip autorisation i hope that help

[skor78]

My friend if u want to be more safe u can do the MAC filter option and hide your broadcasting wifi and the last 1 u can do the ip autorisation i hope that help

what?? care to explain how he'll avoid being sniffed with the above configurations? Only thing that can really help is a good encryption, and if in doubt, an encrypted VPN over the encrypted wi-fi, but all those recommendations you gave won't protect him from a sniffer.. how is it that old saying?.. "You can run, but can't hide!"

[Citruspers]

My friend if u want to be more safe u can do the MAC filter option and hide your broadcasting wifi and the last 1 u can do the ip autorisation i hope that help

Haha, right. Disabling broadcasting is just security through obscurity, and macs can be easily spoofed (and you can easily find out what macs are "authorised" by listening in with airodump.

To the OP: If you have a strong WPA key, and are using paypal with SSL, and don't accept random certificates, you should be fine.