Undetectable APs

Can access points be configured such that they are undetectable by the typical hobbiest wifi radio scan assuming that they are in range of the transceiver? With Windows? With Linux? Other than hostname and Mac address, can particular computers be denied replies to a scan, based on what other paramters? Can netstumbler or some other software discover these "shielded" aps?

(at work, hence anonymous usenet access)

Reply to
Non scrivetemi
Loading thread data ...

Not seen by Joe Sixpack, but detectable by even a modest hobbyist.

Reply to
John Navas

Windows itself won't pop up and mention them, but any wifi sniffing software will do it, no special hardware required.

Windows, definitely. I'd assume Linux too, but I've never looked.

You can deny a computer on any basis your AP allows. In general this means MAC addresses, occasionally hostnames or similar, in rare cases other parameters are probably going to be possible too.

Reply to
DevilsPGD

DevilsPGD wrote in news: snipped-for-privacy@4ax.com:

claimed to

undetectable by the

range of

sniffing

looked.

paramters?

general this

rare cases

Rare cases? Paramaters? Such as? Do you even know what your talking about?

Reply to
Dobie

Depends on your hardware and software, yes. Most people buy the cheapest thing at Best Buy, this severely limits your options vs what higher end choices might allow.

Well, one example would be to allow 802.11b or g clients. Another might be only allow WPA2-PSK but not WPA-PSK.

If you use manufacturer supplied software on your AP then your ability to set limitations are based on the feature set the manufacturer provided. Most APs will only let you allow/deny wireless access based on MAC address (and of course compatible encryption settings)

A few will block by hostname, although technically speaking they actually do have to allow the wireless connection first, then once the hostname is known, decide whether to route packets or not.

If you control the software on your AP then your ability to code will be your only imagination and coding skills.

Reply to
DevilsPGD

transceiver?

Sure, turn off the AP's radio, and it'll be hard to detect it.

What's your goal here, exactly?

Reply to
Aaron Leonard

:-))

Remember that many devices (PCs) allow mac addresses to be changed too. The wireless drivers on my Vista PC though only allow correctly formated LAAs.

I could imagine someone finding an Access Point, sniffing the traffic, changing the MAC address of their PC to match that of a permitted client and then gaining access.

Of course long random keys and WPA or even better WPA2 seem to still be secure.

WEP is useless against all but the clueless. It looks to me that MAC address filtering must be similarly hopeless although I have not tried it in practise.

Reply to
bod43

The radio has to be on for the AP to do anything useful, which is easily detectable no matter what your imagination and coding skills.

Reply to
John Navas

Not true, unfortunately. See my post "NEWS: Security shortcomings in WPA2 that threaten security of wireless networks". PSK also has weaknesses.

Reply to
John Navas

Absolutely. However, you can deny access, or fail to reply to scans.

A passive scan will still find you, but I covered that earlier in my previous message.

Reply to
DevilsPGD

DevilsPGD wrote in news: snipped-for-privacy@4ax.com:

John Navas

your ability

manufacturer

access based

settings)

speaking they

then once the

to code will be

which is easily

skills.

to scans.

earlier in my

Do most PC wifi radios do passive or active scans and what exactly is the difference? I am guessing that active means actually sending a packet out for reply. But how can a receiver detect an AP that is not addressing packets to that receiver, which is what a "passive" scan implies? I think with wired network scanners they send out an abbreviated packet or some such which are undetectable by many firewalls, but not all.

Reply to
ArnieJ

Meanwhile, at the alt.internet.wireless Job Justification Hearings, ArnieJ chose the tried and tested strategy of:

The answer to that is similar to with APs; in general using third-party software will give you more options.

The chipset in the wifi NIC needs to be able to pass all received data to the scanning software, ie not just packets sent to it's own MAC address. The scanning software will then instruct the NIC to hop from channel to channel, dwelling briefly on each one to listen for traffic. Whatever information can be extracted from a packet will be used to build a report for the operator of the software, eg channel, signal strength, SSID, MAC address, IP addresses if they're not encrypted, etc.

How likely are you to see packets on the air from a wireless network? Very. If it's not hidden, an AP will be sending beacon frames out regularly. Even if it is hidden, there will still be regular, non-user-initiated chatter like ARP requests, AV updates, Windows updates, etc.

I think you're talking about a port scanner which operates at different layers to a wireless network sniffer.

formatting link
A port scanner isn't really much use when wanting to investigate unknown wireless networks, because you need to have IP connectivity in order to make use of it.

Reply to
alexd

And traffic can be sniffed.

Reply to
John Navas

No. In order for a wireless access point to function, it has to transmit something, which can be detected. In addition, for 802.11 to function, the MAC addresses and managment information are all sent un-encrypted.

The operating system has little to so with the over the air security. You could be running on a game machine, and it would still be sniffable.

No. Scanning can be either active (Netstumbler) or passive (Kismet). You can mangle the active scanning probes in the access point firmware (commonly done on higher end access points). However, there's nothing that can be done to prevent a passive sniffer from simply listening to the traffic.

Applying an IP or MAC address filter doesn't shield anything.

Right.

What are you trying to accomplish and what do you have to work with?

Reply to
Jeff Liebermann

An active sniffer transmits something to the access point, such as a connection request or broadcast probe request. The AP is expected to respond. Netstumbler works this way.

A passive sniffer simply listens to the traffic going by. Kismet works this way.

Correct.

There are directed packets (unicast) and non-directed packets (multicast). See comments under Active and Passive Scanning at:

Note that if the AP does not respond to probe requests, there would be no way to find or connect to an access point.

Not that I know about.

Reply to
Jeff Liebermann

If the access point is enabled for a client, all that's needed is to spoof the MAC of the client, which can be determined by sniffing the wireless traffic.

Reply to
John Navas

Jeff Liebermann answered:>

hobbiest wifi radio scan assuming that they are in range of the transceiver?

Since you gave me good answers and usually do here, I will tell you.

Over the last year or so I have discovered at least 3 open routers running unencrypted APs from my stand alone old pc scans using a simple usb wifi radio and software.

A couple times I configured the routers to give me encrypted access because I was having alot of problems with hackers trying to break into my computer to steal files. I was not trying to break into anyones computer, just wanted free net access. They were using a program to exploit some flaw in my OS and change the file sharing settings. I detected this and made the necessary corrections to my system so they could not break in.

Once I got encrypted access the hackers went poof. But then the owners of the AP realized someone else was using their AP, since I was now listed in the router,and the either took down the transmitter, or they someone shielded me from being able to detect them with a simple client radio scan.

I was wondering how those particular APs suddenly disappeared from my scans. I guess maybe I could try to get their email address from their user and host names and ask them why their AP is no longer there in my scans. Of course, they may not be willing to tell me. I am using the same radio, scanner and location.

I am guessing from your reply that I have an active scanner since it is just simple software that comes with a usb radio. So perhaps they are setting their AP not to reply to my scans. I can change my mac and other usual identifying names at will, so it's not mac/hostname filtering.

Some of the sophisticated software I have read about I THINK is able to deny response to active scans based on other paramters that identify the rogue client as a rogue client, including not have the right MAC address, location and other parameters.

I am just trying to learn and also trying to keep free access, I can't afford the outrageous (imo) rates being charges for commercial wifi access and I bet the stability of the payed connections isn't much better than what I get for free. If they leave their door wide open, then don't complain if somebody comes in to take a snooze.

Reply to
starwars

An AP transmits to ALL "receivers" in range. Always. The "receiver" decides if it wants the data or not. If there is a hacker behind the receiver, he probably DOES want that data. :) []'s

Reply to
Nemesis

I usually ask "what are you trying to accomplish, and what do you have to work with".

How do you know that hackers were trying to break into your computer and steal files? Connection attempts are common. Many laptops, PDA's, and cell phones try to connect without any user intervention. For example, my iPhone 3G PDA (cell phone disabled) will try to connect via Wi-Fi to anything that it hears when it wakes up every 15 or so minutes.

It's considered good form to *ASK* the owners of the wireless access points for permission to use their access points. My batting average with asking used to be fairly good about 8-10 years ago. Then, horror stories appeared in the press about evil hackers lurking in the shadows looking for data to pilfer from the GUM (great unwashed masses). These days, my batting average is much less, especially if they're into file sharing and worried about getting caught.

Like I asked, how did you know? What program were you using? I've dealt with paranoids that think that the Windoze networking browser election or Windoze Medial Player advertisements is an attack of sorts. Programs, such as Zone Alarm can be set to provide alerts for just about anything.

If you're seriously worried about attacks via wireless, I suggest you investigate using a software firewall on your computer or using double NAT plus SPI on a router behind a wireless client bridge (instead of your USB thing).

I won't ask how you got unencrypted access. Assuming it was done properly by asking, it should have had no effect on your alleged attacks. Sorry, but you have it backwards. There are some things that can be done to an encrypted access point or router, but very little to a wireless client adapter. If you're worried, turn off peer-to-peer access in your wireless network settings on your USB device.

More likely, they hired the neighborhood computer geek to properly secure their router. In some cases, they may have hired the Geek Squad. In extremely rare cases, they may have read the instructions that came with their wireless router. It's difficult to tell.

Most modern AP's have a feature where they don't broadcast their SSID called "SSID hiding". It's not 100% effective and can be detected:

If they were on AT&T or other ISP that uses PPPoE, the login "name" is their email address. You should have recorded that when you first broke in and started making changes. If you have a directional antenna, you can possibly locate the access point. Maybe build one of these reflectors:

and shove your USB dongle down the pipe to the focus. Lots of other ways to build a directional antenna. However, the best would be a USB dongle with an external RP-SMA antenna connector, and a proper directional dish or panel antenna. Be sure to shield the dongle with aluminum foil so that all the RF goes to/from the dish.

The maker and model would be helpful, but it's certainly an active scanner if you're referring to the "site survey" feature. Your client adapter sends out a probe request, which all the AP's in the neighborhood reply with their SSID, MAC address, and connection info. Your client adapter also scans all 11 channels in sequence looking for AP's to connect. That's the active part. The passive part is that normal AP's beacon their SSID several times per second. You don't need a probe request to see those, which can be heard with a passive scanner.

Sorta. SSID hiding works by beaconing a zero length SSID in the beacons. Your client adapter doesn't know what to do with a blank SSID and therefore shows nothing. However connect and disconnect requests still contain the SSID.

As you note, MAC address filtering is nearly useless.

True, but more commonly, SSID hiding is what is used. There are also some wireless router exploits that are blocked by the router firmware. For example, pounding on the access point with probe requests will usually cause the access point to go comatose on the assumption that it's being attacked.

While prosecutions for wireless intrusions are rare and usually a waste of time, it's still not ethically or morally correct. I suggest you ask yourself how you would feel if your neighbors were borrowing your bandwidth. I did that willingly with a neighborhood LAN and ran into problems with users not knowing the difference between abuse and normal use. Instead of spending your time hacking, perhaps it would be better spent asking them for permission. Who knows... they might be friendly?

Reply to
Jeff Liebermann

Jeff Liebermann answered:>

Yeah thanks for your good replies and information. Without you this group would be pretty lame, sad to say.

unencrypted APs from >>my stand alone old pc scans using a simple usb >>wifi radio and software. A couple times I >>configured the routers to give me encrypted >>access because I was having alot of problems with >>hackers trying to break into >>my computer to >>steal files.

files? Connection >attempts are common. Many laptops,PDA's, and cell >phones try to connect without any user >intervention. For example, my iPhone 3G PDA (cell >phone disabled) will try to connect via Wi-Fi to >anything that it hears when it wakes up every 15

I saw it in my firewall;logs, they were using some type of incoming buffer overflow,usually on ports 137-39 and then my file sharing settings were reset to share and I started having problems with their controling my pc-NOT GOOD. Fortunately I caught it quickly and made the necessary cfg changes so they cannot get access to files.

for permission to use >their access points. My batting average with >asking used to be fairly good about 8-10 years >ago. Then, horror stories appeared in the press >about evil hackers lurking in the

These days, my batting >average is much less, especially if

Ok, maybe if I can find out their email address.

sharing settings. I >>detected this >>and made the necessary >>corrections to my system so they could not break >>in.

paranoids that think >that the Windoze networking browser election or >Windoze Medial Player advertisements is an attack >of sorts. Programs, such as Zone Alarm can be set >to provide alerts for just about anything.

No this definitely was an attack. When they saw I was connecting unencrypted,that was their invite to fire up their script kiddie program and try to d/l my files. I did a full virus/trojan scan using several good scanners and came up negative, including root kit scans, so it was not a trojan as far as I have been able to determine.

investigate using a >software firewall on your computer or using double

Already have a good one, but might be updating to one designed for wirless. I do not have my own router.

asking, it should >have had no effect on your alleged attacks. >Sorry, but you have it backwards. There are some >things that can be done to an encrypted access >point or router, but very little to a wireless >client adapter. If you're worried, turn off

I did not hack for encrypted access the AP listed "NONE" for encryption. Pardon my ignorance but maybe I am not stating it correctly? When I connected to the open router(default/no password), I was able to then set a password for the router and also a key phrase for PSK encyption. Once I did that the hacking attempts died. Is that the same as encrypted access? They can issue d/c packets to your client adapter, which they also do frequently. Don't know if this is coming from a hacker or from the owner of the AP? How do you turn off P2P access on your client adapter, I think it might be off by default?

router,and the >>either took down the transmitter, or they someone >>shielded me from being able to detect them with a >>simple client radio >>scan.

their router. In some >cases, they may have hired the Geek Squad. In

wireless >router. It's difficult to tell.

Or they changed the direction of their antenna?

"SSID hiding". It's >not 100% effective and can be detected:

Ok thanks I will look it up. But trying to connect to that "profile" in my list, resulted in nothing as I recall?

host names and ask >>them why their AP is no longer there in my >>scans. Of course,they may not be willing to tell >>me. I am using the same radio, scanner and >>location.

email address. You >should have recorded that when you first

can possibly locate the >access point. Maybe build one of these reflectors:

with an external RP-SMA >antenna connector, and a proper directional dish >or panel antenna. Be sure to shield the dongle >with aluminum foil so that all the RF goes to/from >the dish.

Already have a homemade half parabola, behind a 5dbi whip. The whip extends from the 3cm X 3cm radio upwards and the dish is positioned such that the focal point aligns with the rubber whip. Since the radio is below the parabola, should I cover it with foil also? The question arises as to how to most effectively focus the radio waves most efficiently into the donut pattern of the whip. How does one modify a whip to make it directional so as to avoid having to make or purchase another antenna?

simple software >>that comes with a usb radio.

you're referring to >the "site survey" >feature. Your client adapter >sends out a probe >request, which all the AP's in >the neighborhood reply with their SSID, MAC >address, and connection info.

connect. That's the >active part. The passive part is that normal AP's >beacon their SSID several times per second. You >don't need a probe request to see those, which can >be heard with a passive

Ok yeah going to have to migrate to linux in order to use Kismet. I am stupid when it comes to computers so it's all a chore for me.

Your client adapter >doesn't know what to >do with a blank SSID and >therefore shows nothing. However connect >and >disconnect requests still contain the SSID.

Ok so if I cannot connect to that pre-saved profile, means they either took it down or changed their antenna/direction, or reduced their power, or changed their mac and ssid?

response to active >>scans based on other paramters that identify the >>rogue client as a rogue client, including not >>have the right MAC address, location and other >>parameters.

wireless router >exploits that are blocked by the router firmware.

cause the access point >to go comatose on the assumption that it's being

Ok did not know that thanks.

afford the outrageous (imo) >>rates being charges for commercial wifi access

I get for free. If >>they leave their door wide open, >>then don't >>complain if somebody comes in to take a snooze.

time, it's still not >ethically or morally correct. I suggest you ask >yourself how you would feel if your neighbors were >borrowing your bandwidth. I did that willingly >with a neighborhood LAN and ran into problems with >users not knowing the difference between abuse and

spent asking >them for permission. Who knows... they might

Yeah I might take your suggestion, IF i can find out who they are. I just assume I am going to be attacked, especially if I connect with no encryption. But so far I know just enough to block hackers from getting in, I THINK,hahahah.

duplicates of this post due to unreliable remailers

Reply to
Nomen Nescio

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.