Undetectable APs

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


Can access points be configured such that they are undetectable by the typical
hobbiest wifi radio scan assuming that they are in range of the transceiver?
With Windows? With Linux? Other than hostname and Mac address, can particular
computers be denied replies to a scan, based on what other paramters?  Can
netstumbler or some other software discover these "shielded" aps?

(at work, hence anonymous usenet access)


Re: Undetectable APs


On Fri, 30 Jul 2010 01:45:50 +0200 (CEST), in

Quoted text here. Click to load it

Not seen by Joe Sixpack, but detectable by even a modest hobbyist.

--
John            FAQ for Wireless Internet: <http://wireless.navas.us
                FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: Undetectable APs


to have wrote:

Quoted text here. Click to load it

Windows itself won't pop up and mention them, but any wifi sniffing
software will do it, no special hardware required.

Quoted text here. Click to load it

Windows, definitely.  I'd assume Linux too, but I've never looked.

Quoted text here. Click to load it

You can deny a computer on any basis your AP allows.  In general this
means MAC addresses, occasionally hostnames or similar, in rare cases
other parameters are probably going to be possible too.

Re: Undetectable APs



Quoted text here. Click to load it
@pboxmix.winstonsmith.info> "Non
claimed to
Quoted text here. Click to load it
undetectable by the
Quoted text here. Click to load it
range of
sniffing
looked.
paramters?
Quoted text here. Click to load it
general this
rare cases

Rare cases? Paramaters? Such as? Do you even know what your
talking about?

Re: Undetectable APs


claimed to have wrote:

Quoted text here. Click to load it

Depends on your hardware and software, yes.  Most people buy the
cheapest thing at Best Buy, this severely limits your options vs what
higher end choices might allow.

Quoted text here. Click to load it

Well, one example would be to allow 802.11b or g clients.  Another might
be only allow WPA2-PSK but not WPA-PSK.

Quoted text here. Click to load it

If you use manufacturer supplied software on your AP then your ability
to set limitations are based on the feature set the manufacturer
provided.  Most APs will only let you allow/deny wireless access based
on MAC address (and of course compatible encryption settings)

A few will block by hostname, although technically speaking they
actually do have to allow the wireless connection first, then once the
hostname is known, decide whether to route packets or not.

If you control the software on your AP then your ability to code will be
your only imagination and coding skills.

Re: Undetectable APs


On Fri, 30 Jul 2010 15:57:07 -0700, in

Quoted text here. Click to load it

The radio has to be on for the AP to do anything useful, which is easily
detectable no matter what your imagination and coding skills.

--
John            FAQ for Wireless Internet: <http://wireless.navas.us
                FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: Undetectable APs



Quoted text here. Click to load it

Absolutely.  However, you can deny access, or fail to reply to scans.

A passive scan will still find you, but I covered that earlier in my
previous message.

Re: Undetectable APs



John Navas
Quoted text here. Click to load it
your ability
manufacturer
access based
settings)
Quoted text here. Click to load it
speaking they
then once the
Quoted text here. Click to load it
to code will be
Quoted text here. Click to load it
which is easily
Quoted text here. Click to load it
skills.
to scans.
earlier in my
Quoted text here. Click to load it

Do most PC wifi radios do passive or active scans and what
exactly is the difference? I am guessing that active means
actually sending a packet out for reply. But how can a
receiver detect an AP that is not addressing packets to that
receiver, which is what a "passive" scan implies? I think
with wired network scanners they send out an abbreviated
packet or some such which are undetectable by many firewalls,
but not all.

Re: Undetectable APs


Meanwhile, at the alt.internet.wireless Job Justification Hearings, ArnieJ
chose the tried and tested strategy of:

Quoted text here. Click to load it

The answer to that is similar to with APs; in general using third-party
software will give you more options.

Quoted text here. Click to load it

The chipset in the wifi NIC needs to be able to pass all received data to
the scanning software, ie not just packets sent to it's own MAC address. The
scanning software will then instruct the NIC to hop from channel to channel,
dwelling briefly on each one to listen for traffic. Whatever information can
be extracted from a packet will be used to build a report for the operator
of the software, eg channel, signal strength, SSID, MAC address, IP
addresses if they're not encrypted, etc.

How likely are you to see packets on the air from a wireless network? Very.
If it's not hidden, an AP will be sending beacon frames out regularly. Even
if it is hidden, there will still be regular, non-user-initiated chatter
like ARP requests, AV updates, Windows updates, etc.

Quoted text here. Click to load it

I think you're talking about a port scanner which operates at different
layers to a wireless network sniffer.

http://en.wikipedia.org/wiki/TCP/IP_model

A port scanner isn't really much use when wanting to investigate unknown
wireless networks, because you need to have IP connectivity in order to make
use of it.

--
 <http://ale.cx/ (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
 11:34:24 up 13 days,  2:05,  6 users,  load average: 0.03, 0.09, 0.11
 Qua illic est accuso, illic est a vindicatum


Re: Undetectable APs


Quoted text here. Click to load it
    An AP transmits to ALL "receivers" in range. Always. The
"receiver" decides if it wants the data or not. If there is a hacker
behind the receiver, he probably DOES want that data.
    :)
    []'s

Re: Undetectable APs


On Sat, 31 Jul 2010 02:55:10 +0000 (UTC), ArnieJ

Quoted text here. Click to load it

An active sniffer transmits something to the access point, such as a
connection request or broadcast probe request.  The AP is expected to
respond.  Netstumbler works this way.

A passive sniffer simply listens to the traffic going by.  Kismet
works this way.

Quoted text here. Click to load it

Correct.


There are directed packets (unicast) and non-directed packets
(multicast).  See comments under Active and Passive Scanning at:
<http://trac.kismac-ng.org/wiki/AdditionalInformation
Note that if the AP does not respond to probe requests, there would be
no way to find or connect to an access point.

Quoted text here. Click to load it

Not that I know about.  
--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Undetectable APs


On Sat, 31 Jul 2010 10:26:01 -0700, in

Quoted text here. Click to load it


If the access point is enabled for a client, all that's needed is to
spoof the MAC of the client, which can be determined by sniffing the
wireless traffic.

--
John

"Assumption is the mother of all screw ups."
[Wethern’s Law of Suspended Judgement]

Re: Undetectable APs


On Fri, 30 Jul 2010 19:23:35 -0700, in

Quoted text here. Click to load it

And traffic can be sniffed.

--
John

"Assumption is the mother of all screw ups."
[Wethern’s Law of Suspended Judgement]

Re: Undetectable APs


Quoted text here. Click to load it
the typical
transceiver?
Quoted text here. Click to load it
particular
Can

Sure, turn off the AP's radio, and it'll be hard to detect it.

What's your goal here, exactly?

Re: Undetectable APs


Quoted text here. Click to load it
:-))

Remember that many devices (PCs) allow mac addresses
to be changed too. The wireless drivers on my
Vista PC though only allow correctly formated
LAAs.

I could imagine someone finding an Access Point,
sniffing the traffic, changing the MAC address of their PC
to match that of a permitted client and then gaining access.

Of course long random keys and WPA or even better WPA2
seem to still be secure.

WEP is useless against all but the clueless. It looks to me
that MAC address filtering must be similarly hopeless although
I have not tried it in practise.



Re: Undetectable APs


On Fri, 30 Jul 2010 17:55:58 -0700 (PDT), in

Quoted text here. Click to load it

Not true, unfortunately.  See my post
"NEWS: Security shortcomings in WPA2 that threaten security of wireless
networks".  PSK also has weaknesses.

--
John            FAQ for Wireless Internet: <http://wireless.navas.us
                FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: Undetectable APs


On Fri, 30 Jul 2010 01:45:50 +0200 (CEST), "Non scrivetemi"

Quoted text here. Click to load it

No.  In order for a wireless access point to function, it has to
transmit something, which can be detected.  In addition, for 802.11 to
function, the MAC addresses and managment information are all sent
un-encrypted.

Quoted text here. Click to load it

The operating system has little to so with the over the air security.
You could be running on a game machine, and it would still be
sniffable.

Quoted text here. Click to load it

No.  Scanning can be either active (Netstumbler) or passive (Kismet).
You can mangle the active scanning probes in the access point firmware
(commonly done on higher end access points).  However, there's nothing
that can be done to prevent a passive sniffer from simply listening to
the traffic.  
<http://www.darklab.net/resources/wireless-sniffers.html

Quoted text here. Click to load it

Applying an IP or MAC address filter doesn't shield anything.

Quoted text here. Click to load it

Right.

What are you trying to accomplish and what do you have to work with?

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Undetectable APs


Quoted text here. Click to load it


hobbiest wifi radio scan assuming that they are in range of the transceiver?

Quoted text here. Click to load it




Since you gave me good answers and usually do here, I will tell you.

Over the last year or so I have discovered at least 3 open routers
running unencrypted APs from my stand alone old pc scans using a simple usb
wifi radio and software.

A couple times I configured the routers to give me encrypted access because
I was having alot of problems with hackers trying to break into my computer
to steal files. I was not trying to break into anyones computer, just wanted
free net access. They were using a program to exploit some flaw in my OS and
change the file sharing settings. I detected this and made the necessary
corrections
to my system so they could not break in.

Once I got encrypted access the hackers went poof. But then the owners of the
AP realized someone else was using their AP, since I was now listed in the
router,and the either took down the transmitter, or they someone shielded me
from being able to detect them with a simple client radio scan.

I was wondering how those particular APs suddenly disappeared from my scans.
I guess maybe I could try to get their email address from their user and host
names and ask them why their AP is no longer there in my scans. Of course,
they may not be willing to tell me. I am using the same radio, scanner and
location.

I am guessing from your reply that I have an active scanner since it
is just simple software that comes with a usb radio. So perhaps they are setting
their AP not to reply to my scans. I can change my mac and other usual
identifying
names at will, so it's not mac/hostname filtering.

Some of the sophisticated software I have read about I THINK is able to
deny response to active scans based on other paramters that identify
the rogue client as a rogue client, including not have the right MAC
address, location and other parameters.

I am just trying to learn and also trying to keep free access, I can't afford
the outrageous (imo) rates being charges for commercial wifi access and I bet
the stability of the payed connections isn't much better than what I get for
free. If they leave their door wide open, then
don't complain if somebody comes in to take a snooze.






Re: Undetectable APs


On Sun,  1 Aug 2010 09:55:25 +0200 (CEST), starwars

Quoted text here. Click to load it

I usually ask "what are you trying to accomplish, and what do you have
to work with".

Quoted text here. Click to load it

How do you know that hackers were trying to break into your computer
and steal files?  Connection attempts are common.  Many laptops,
PDA's, and cell phones try to connect without any user intervention.
For example, my iPhone 3G PDA (cell phone disabled) will try to
connect via Wi-Fi to anything that it hears when it wakes up every 15
or so minutes.

Quoted text here. Click to load it

It's considered good form to *ASK* the owners of the wireless access
points for permission to use their access points.  My batting average
with asking used to be fairly good about 8-10 years ago.  Then, horror
stories appeared in the press about evil hackers lurking in the
shadows looking for data to pilfer from the GUM (great unwashed
masses).  These days, my batting average is much less, especially if
they're into file sharing and worried about getting caught.

Quoted text here. Click to load it

Like I asked, how did you know?  What program were you using?  I've
dealt with paranoids that think that the Windoze networking browser
election or Windoze Medial Player advertisements is an attack of
sorts.  Programs, such as Zone Alarm can be set to provide alerts for
just about anything.  

If you're seriously worried about attacks via wireless, I suggest you
investigate using a software firewall on your computer or using double
NAT plus SPI on a router behind a wireless client bridge (instead of
your USB thing).

Quoted text here. Click to load it

I won't ask how you got unencrypted access.  Assuming it was done
properly by asking, it should have had no effect on your alleged
attacks.  Sorry, but you have it backwards.  There are some things
that can be done to an encrypted access point or router, but very
little to a wireless client adapter.  If you're worried, turn off
peer-to-peer access in your wireless network settings on your USB
device.

Quoted text here. Click to load it

More likely, they hired the neighborhood computer geek to properly
secure their router.  In some cases, they may have hired the Geek
Squad.  In extremely rare cases, they may have read the instructions
that came with their wireless router.  It's difficult to tell.

Quoted text here. Click to load it

Most modern AP's have a feature where they don't broadcast their SSID
called "SSID hiding".  It's not 100% effective and can be detected:
<http://www.library.cornell.edu/dlit/ds/links/cit/redrover/ssid/wp_ssid_hiding.pdf

Quoted text here. Click to load it

If they were on AT&T or other ISP that uses PPPoE, the login "name" is
their email address.  You should have recorded that when you first
broke in and started making changes.  If you have a directional
antenna, you can possibly locate the access point.  Maybe build one of
these reflectors:
<http://802.11junk.com/jeffl/antennas/Salad-Dish/index.html
and shove your USB dongle down the pipe to the focus.  Lots of other
ways to build a directional antenna.  However, the best would be a USB
dongle with an external RP-SMA antenna connector, and a proper
directional dish or panel antenna.  Be sure to shield the dongle with
aluminum foil so that all the RF goes to/from the dish.

Quoted text here. Click to load it

The maker and model would be helpful, but it's certainly an active
scanner if you're referring to the "site survey" feature.  Your client
adapter sends out a probe request, which all the AP's in the
neighborhood reply with their SSID, MAC address, and connection info.
Your client adapter also scans all 11 channels in sequence looking for
AP's to connect.  That's the active part.  The passive part is that
normal AP's beacon their SSID several times per second.  You don't
need a probe request to see those, which can be heard with a passive
scanner.

Quoted text here. Click to load it

Sorta.  SSID hiding works by beaconing a zero length SSID in the
beacons.  Your client adapter doesn't know what to do with a blank
SSID and therefore shows nothing.  However connect and disconnect
requests still contain the SSID.

Quoted text here. Click to load it

As you note, MAC address filtering is nearly useless.

Quoted text here. Click to load it

True, but more commonly, SSID hiding is what is used.  There are also
some wireless router exploits that are blocked by the router firmware.
For example, pounding on the access point with probe requests will
usually cause the access point to go comatose on the assumption that
it's being attacked.

Quoted text here. Click to load it

While prosecutions for wireless intrusions are rare and usually a
waste of time, it's still not ethically or morally correct.  I suggest
you ask yourself how you would feel if your neighbors were borrowing
your bandwidth.  I did that willingly with a neighborhood LAN and ran
into problems with users not knowing the difference between abuse and
normal use.  Instead of spending your time hacking, perhaps it would
be better spent asking them for permission.  Who knows... they might
be friendly?

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Undetectable APs



Quoted text here. Click to load it



Yeah thanks for your good replies and information. Without you this group would
be pretty lame, sad to say.


Quoted text here. Click to load it
unencrypted APs from >>my stand alone old pc scans using a simple usb >>wifi
radio and software. A couple times I >>configured the routers to give me
encrypted >>access because I was having alot of problems with >>hackers trying
to break into >>my computer to >>steal files.

Quoted text here. Click to load it
files?  Connection >attempts are common.  Many laptops,PDA's, and cell >phones
try to connect without any user >intervention. For example, my iPhone 3G PDA
(cell >phone disabled) will try to connect via Wi-Fi to >anything that it hears
when it wakes up every 15
Quoted text here. Click to load it

I saw it in my firewall;logs, they were using some type of incoming buffer
overflow,usually
on ports 137-39 and then my file sharing settings were reset to share and I
started having problems with their controling my pc-NOT GOOD. Fortunately I
caught it quickly and made the necessary cfg changes so they cannot get access
to files.


Quoted text here. Click to load it

for permission to use >their access points.  My batting average with >asking
used to be fairly good about 8-10 years >ago.  Then, horror stories appeared in
the press >about evil hackers lurking in the
Quoted text here. Click to load it

Ok, maybe if I can find out their email address.


Quoted text here. Click to load it
sharing settings. I >>detected this >>and made the necessary >>corrections to my
system so they could not break >>in.

Quoted text here. Click to load it
paranoids that think >that the Windoze networking browser election or >Windoze
Medial Player advertisements is an attack >of sorts.  Programs, such as Zone
Alarm can be set >to provide alerts for just about anything.  

No this definitely was an attack. When they saw I was connecting
unencrypted,that was their invite to fire up their script kiddie program and try
to d/l my files. I did a full virus/trojan scan using several good scanners and
came up negative, including root kit scans, so it was not a trojan as far as I
have been able to determine.


Quoted text here. Click to load it

Already have a good one, but might be updating to one designed for wirless. I do
not have my own router.


Quoted text here. Click to load it

asking, it should >have had no effect on your alleged attacks.  >Sorry, but you
have it backwards.  There are some >things that can be done to an encrypted
access >point or router, but very little to a wireless >client adapter.  If
you're worried, turn off
Quoted text here. Click to load it

I did not hack for encrypted access the AP listed
"NONE" for encryption. Pardon my ignorance but maybe I am not stating it
correctly? When I connected to the open router(default/no password), I was able
to then set a password for the router and also a key phrase for PSK encyption.
Once I did that the hacking attempts died. Is that the same as encrypted access?
They can issue d/c packets to your client adapter, which they also do
frequently. Don't know if this is coming from a hacker or from the owner of the
AP? How do you turn off P2P access on your client adapter, I think it might be
off by default?

Quoted text here. Click to load it
router,and the >>either took down the transmitter, or they someone >>shielded me
from being able to detect them with a >>simple client radio >>scan.

Quoted text here. Click to load it
their router.  In some >cases, they may have hired the Geek Squad.  In
>extremely rare cases, they may have read the >instructions that came with their
wireless >router.  It's difficult to tell.

Or they changed the direction of their antenna?


Quoted text here. Click to load it


Ok thanks I will look it up. But trying to connect to that "profile" in my list,
resulted in nothing as I recall?

Quoted text here. Click to load it
host names and ask >>them why their AP is no longer there in my >>scans. Of
course,they may not be willing to tell >>me. I am using the same radio, scanner
and >>location.


Quoted text here. Click to load it
with an external RP-SMA >antenna connector, and a proper directional dish >or
panel antenna.  Be sure to shield the dongle >with aluminum foil so that all the
RF goes to/from >the dish.

Already have a homemade half parabola, behind a 5dbi whip. The whip extends from
the 3cm X 3cm radio
upwards and the dish is positioned such that the focal point aligns with the
rubber whip. Since the radio is below the parabola, should I cover it with foil
also? The question arises as to how to most effectively focus the radio waves
most efficiently into the donut pattern of the whip. How does one modify a whip
to make it directional so as to avoid having to make or purchase another antenna?

Quoted text here. Click to load it


you're referring to >the "site survey" >feature.  Your client adapter >sends out
a probe >request, which all the AP's in >the neighborhood reply with their SSID,
MAC >address, and connection info.

Quoted text here. Click to load it
connect.  That's the >active part.  The passive part is that normal AP's >beacon
their SSID several times per second.  You >don't need a probe request to see
those, which can >be heard with a passive
Quoted text here. Click to load it

Ok yeah going to have to migrate to linux in order to use Kismet. I am stupid
when it comes to computers so it's all a chore for me.

Quoted text here. Click to load it

Your client adapter >doesn't know what to >do with a blank SSID and >therefore
shows nothing.  However connect >and >disconnect requests still contain the SSID.

Ok so if I cannot connect to that pre-saved profile, means they either  took it
down or changed their antenna/direction, or reduced their power,
or changed their mac and ssid?


Quoted text here. Click to load it




response to active >>scans based on other paramters that identify the >>rogue
client as a rogue client, including not >>have the right MAC address, location
and other >>parameters.


Quoted text here. Click to load it
cause the access point >to go comatose on the assumption that it's being
>attacked.

Ok did not know that thanks.


Quoted text here. Click to load it
afford the outrageous (imo) >>rates being charges for commercial wifi access
>>and I bet the stability of the payed connections >>isn't much better than what
I get for free. If >>they leave their door wide open, >>then don't >>complain if
somebody comes in to take a snooze.


Quoted text here. Click to load it
time, it's still not >ethically or morally correct.  I suggest you ask >yourself
how you would feel if your neighbors were >borrowing your bandwidth.  I did that
willingly >with a neighborhood LAN and ran into problems with >users not knowing
the difference between abuse and
Quoted text here. Click to load it


Yeah I might take your suggestion, IF i can find out who they are. I just assume
I am going to be attacked, especially if I connect with  no encryption. But so
far I know just enough to block hackers from getting in, I THINK,hahahah.

duplicates of this post due to unreliable remailers



Site Timeline