how-to block ads
|
caribconsult
Premium
join:2003-03-19
Mayaguez, PR
 ·Millenicom
·Sprint Mobile Broa..
 ·HughesNet Satellit..
| reply to docrice
Re: Question about MAC Filtering
DOCRICE: Do I understand you to say that if MAC filtering is used (allow only listed), then a snooper might see my wireless net via the SSID broadcast, but would not be able to obtain any information such as active or valid MAC addresses, IP addressing, whatever? That they'd see packets of stuff zipping around but have no access to any of it?
I've seen many posts, on this forum and others, describing how easy it is to penetrate this - that all this stuff is just flying around in the clear and anyone who had the right software could spoof a valid MAC address off my net even though his existing MAC is not authorized. What's the real deal here?
Thanks for your help.
--
Franklin CDU680/Assent MBR400 combo, CAY1912 panel antenna, Millenicom, 4 XPPro stations, Mozilla everywhere. | |
docrice
join:2008-03-31
Fremont, CA
| To summarize, you're only concerned about using your wired network and really trying to "logically" disable the wireless functionality (with the limited disabling ability you have on the device), right?
The only way for an attacker in your scenario to see traffic that's on the wired network is to associate / bridge herself to your overall network. To be able to do that, they'd need to plug into a physical wired port (not practically possible, obviously) or obtain the proper WEP key. Since you're not connecting a client wirelessly to the access point at all, you're not generating any frames (and thus IV values) that an attacker can capture and decipher your key with. And since there's no authorized client associated to the access point at any time, there's really no MAC address visible to spoof.
You're kind of an exception to the rule because although you have a wireless-capable device, you're not using it at all. In your case, the risk comes into picture when you actually do use a wireless connection with WEP enabled (and / or using MAC filtering).
The only thing that your idle access point throws out into the air is the 802.11 beacon frames which contain the SSID value and other informational elements such as supported attributes. These get broadcasted out about 10 times a second typically. There's also the 802.11 control frames (RTS, CTS, ACK), but other than that, there's nothing being leaked out unless the attacker actually bridges to the network through 802.11 association or by deciphering your key value(s) based on existing wireless traffic by legitimate clients. They could, of course, also guess at your WEP key by trying every possible string permutation which isn't as practical as just deciphering the key value based on existing traffic. And then if you have a MAC filter set, they'd have to guess at that too since there's no clients ever associating to it.
If you really want to see it all in action, use AirPCap or a Linux distribution like BackTrack combined with a supported wireless card and observe the layer 2 traffic taking place on the radio channel the AP's operating on.
All this trouble could have been alleviated if the vendor would allow a simple function like turning off the radio. | |
|
