RE: Perpetuating weak wireless security

Yes, WEP Cloaking works both on passive as well as active attacks. Injection 
attacks, stream attacks, MiTM attacks etc etc.


-----Original Message-----
From: listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx 
[mailto:listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx] On Behalf 
Of Raul Siles
Sent: Wednesday, May 09, 2007 8:01 AM
To: Nico Darrow
Cc: Cedric Blancher; Joshua Wright; 
wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx
Subject: Re: Perpetuating weak wireless security

Hi Nico,
I'm trying to understand the specific WEP attacks the WEP Cloaking
feature mitigates. It seems it is mainly focused on WEP statistical
attacks (FMS, Korek's improvements and, now, aircrack-ptw). Is this
correct?

If you can disclose some details at this point, does it work against
other WEP based attacks (PRGA-based): KoreK's chopchop,
fragmentation...?

Thanks,
--
Raul Siles
GSE
www.raulsiles.com


On 5/8/07, Nico Darrow <ndarrow-xAbmtu7NH5/8vmTbguxeSw@xxxxxxxxxxxxxxxx> wrote:
> Guys, I was the orignal designer of the WEP Cloaking feature released by 
> AirDefense. I can field any questions you guys may have on it.
>
> I can assure you it works. Here are couple points on the technology.
>
> 1. The actual fake data traffic is silently dropped by both the client and 
> the AP, and throughput tests indicate a negligable impact at both 54 and 11 
> Mbps. We don't flood the air.
>
> 2. You can't filter the traffic out, we have several dynamic engines to 
> circumvent filtering. We've had several independent teams attempt to pentest 
> even with the real WEP key and they have failed. I've already been through 
> signal strength filtering, retry filtering, sequence filtering, client 
> filtering, distributed sniffing, etc etc. None work. AirDefense is the best 
> in class solution and I assure you the work on this project is on par. I'm 
> not being cocky, I'm just saying that this isn't a hacked job. We have spent 
> over a year developing and refining this technique.
>
> Ok here's the thing. This technology was designed to save millions of dollars 
> in cost to large retailers still running WEP technology. The technology isn't 
> fool-proof, but it's the best option they have. What you get for a fraction 
> of the cost of a fork-lift upgrade is extended life on existing hardware as 
> well as a world class Wireless IDS/IPS as well as a platform for other 
> AirDefense technologies.
>
> Now, I'm sure someone smart will figure out some super-clever way to bypass 
> it but AirDefense has multiple layers of protection. We will of course refine 
> the technology as it gets deployed and used in the field. Like any true 
> Second generation WIDS/WIPS. We have Legacy Encryption Protection (WEP), 
> Intrusion Detection with Auto-Classification of devices (monitor anyone 
> actually making it past the encryption/vlans) and Intrusion Protection 
> (keeping them off once you find out they have the real WEP key).
>
>
> For those currently using WEP. Here are some tips to help make WEP cracking 
> harder without WEP Cloaking.
>
> 1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's that 
> disallow clients to communicate with eachother. Essentially by filtering out 
> broadcast and multicast traffic. Enabling this feature will prevent ARP 
> injection techniques and will prevent Aircrack-ptw from working. Yes it can 
> still be cracked but requires the hacker to capture traffic passively, and in 
> a retail environment with low traffic it can take a while.
>
> 2. VLANS on the ap's. Currently Aircack and other such tools don't filter out 
> VLAN traffic (you need to write your own tool to filter it out, scapy works 
> for me), so if you have multiple VLAN's don't use the MBSSID feature and keep 
> all your VLAN's on one BSSID. Technically MBSSID's are way better, but we are 
> talking older hardware.
>
> 3. Multiple APs. Clients connect to multiple AP's and when you start 
> injecting they'll roam, forcing you to use secondary radios to keep the 
> device on it or follow it around and combine the traffic later. Not really a 
> good point, but makes life harder with off the shelf tools.
>
> 4. If possible, do the basics. MAC filtering, throughput limiting 
> (54Mbps/11Mbps only), signal strength filtering.
>
>
> For those wanting check out the technology, contact me and I'll let you know 
> where and when we will be demoing the technology.
>
>
> Nico Darrow
> Office of the CTO
> AirDefense, Inc.
>
> -----Original Message-----
> From: listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx 
> [mailto:listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx] On 
> Behalf Of Cedric Blancher
> Sent: Tuesday, May 08, 2007 3:19 AM
> To: Joshua Wright
> Cc: wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx
> Subject: Re: Perpetuating weak wireless security
>
> Le lundi 07 mai 2007 à 10:44 -0400, Joshua Wright a écrit :
> >  While I haven't seen this technology in action yet, I have a pretty
> > good idea how it works, and I think it's a mistake to trust said
> > technology or common variants for the protection of sensitive networks.
>
> Idea of adding dummy traffic to legit WEP traffic has been mentioned
> here before. A quick answer to this could be:
>
>         1. spot real MAC addresses
>         2. PCAP filter your capture
>
> I don't think they want to overload real clients and AP with dummy WEP
> traffic...
>
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> SyScan'07: 2 days of WiFi training and practice in Singapore
> http://syscan.org/reg_training.html
>
>