[Dshield] Wireless broadcasts

Michael Cox mscox at ti.com
Wed Jun 29 17:38:18 GMT 2005

Your protocol analyzer could deduce spanning tree based on the multicast
destination MAC address even if it couldn't see the encrypted data. That
doesn't explain seeing ARP's though. I'm thinking this wasn't a valid
test somehow. What are you using to capture and decode the traffic?

Basically, sniffing encrypted 802.11 traffic would show you the SSID and
the stations' MAC addresses in the clear. You should also be able to
determine the type of encryption used (WEP/RC4 vs. AES). With WEP, you
can see the IV and ICV of each encrypted frame which are useful for
certain types of attacks. If an authentication protocol is used beyond
WEP, then you can determine what type it is if you capture the
authentication sequence. With some of these the userid is sent in the
clear as I think another poster has already pointed out.

Hope that helps!
Michael Cox

On Tue, 2005-06-28 at 19:11 -0700, Willy, Andrew wrote:
> The broadcasts included spanning tree packets and ARPs.  
> WEP was being used -- something that will be rectified.  However, since
> these are appearing, forgive the term, pre-encryption, does it matter if it
> WEP or WPA?
> I'm suspicious that despite my efforts somehow it was not a valid test.  I
> had disconnected from the WAP (removing previous settings to ensure I was
> listening to only what was available without a key exchange), and disabled
> IP on the interface (like I've done for IDS sensors).  Is this a fair
> experiment?  
> To refine the question, if a war-driver parked outside our offices, what
> traffic is normal for him to listen in on plain-text, if any, without first
> going through the effort (yes, WEP, a few minutes) of breaking the
> encryption? 
> Sorry again for the elementary questions.
> Thank you,
> Andrew
> -----Original Message-----
> From: Michael Cox [mailto:mscox at ti.com]
> Sent: Tuesday, June 28, 2005 9:51 AM
> To: AWilly at esmil.net
> Subject: Re: [Dshield] Wireless broadcasts
> My understanding:
> Some broadcast traffic, e.g. some 802.11 protocol packets, must be sent
> in the clear for clients to be able to communicate to the point that key
> exchange can occur.
> Once they key(s) are set up, broadcast traffic such as ARP's should be
> encrypted.
> With plain ol' WEP, the same key is used for all unicast and non-unicast
> packets.
> With the various EAP types that offer per session keying, there are
> separate unicast (unique for each client) and non-unicast (shared by all
> clients) keys.
> Examples of the plaintext broadcasts you are seeing would probably clear
> this up.
> Regards,
> Michael Cox
> NOTICE OF CONFIDENTIALITY-The information in this email, including
> attachments, may be confidential and/or privileged and may contain
> confidential health information. This email is intended to be reviewed only
> by the individual or organization named as addressee. If you have received
> this email in error please notify Scottsdale Medical Imaging, an affiliate
> of Southwest Diagnostic Imaging, LTD immediately - by return message to the
> sender or to support at esmil.com - and destroy all copies of this message and
> any attachments. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent those
> of Scottsdale Medical Imaging. Confidential health information is protected
> by state and federal law, including, but not limited to, the Health
> Insurance Portability and Accountability Act of 1996 and related
> regulations.

More information about the list mailing list