back to list| Mailing List os2-wireless_users@2rosenthals.com Archived Message #3809 |
back to list |
|
|---|
** Reply to message from Stan Goodman <sgood@hashkedim.com> on Mon, 07 Feb 2005 23:13:57 +0200Absolutely right. That's what first led me to believe that this was a man-in-the-middle attack, and that the hijacker was the one who was actually "running" the "server." Yes, they did give more detail than what was necessary, and a real LAN (NetWare, for example - sorry, my bias is showing) would make the attacker work hard at getting in.
very interesting but there seems to be much more to this than just the L2/L3 hijack. It said that
Bill was xfering files to a server on the corporate LAN. This means that the hijacker actually got
in the middle of Bill and ABCcorp and this means he/she got into the ABCcorp LAN such that Bill
could think the was xfering files to/from a corporate server. Unless I'm missing something, this is
a bit more involved hijacking but then again, it's probably a MS Windows LAN and the hijacker has
probably been in the LAN for far longer than he/she's been in the middle of end users.
The question is, what can we do, or use, to keep and eye on this kind of thing? And can we scriptWell, the first thing I can think of (besides using encryption, which will at best, slow the attacker down while he cracks the WEP or the WPA - harder, but it can be done), is to make note of your DHCP server from whcih you recorded an offer. Check with your IT department to be sure that this is the only DHCP server on the subnet (there should be only one, unless they've somehow split the address pool to load balance those poor, lumbering Windows DHCP servers). Use the DHCP Monitor to see where your address originated.
this up so checks are made every time the wireless network come up?
Doug
** Reply to message from Lewis G Rosenthal <lgrosenthal@2rosenthals.com> on=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mon, 07 Feb 2005 13:26:48 -0500
I thought this one was worth forwarding to the list. Enjoy!Very clear. Now it's much easier for me to understand why so many people use
*Question of the Week*
Bill, a wireless LAN end user at ABC Corporation, is transferring a file over the wireless network to a server. Approximately half way through the transfer, the transfer suddenly stops. Doing his own initial troubleshooting Bill finds that his wireless connection is still active, but he can no longer access the corporate network resources. Confused, Bill calls the help desk who asks him to check his IP address. Upon checking the IP address of Bill's workstation they find that his IP address is on the wrong subnet. The subnet on which Bill's PC is addressed is not part of the corporate network. The help desk technician informs Bill that he has been subject to what kind of wireless attack?
1. Man-in-the-middle
2. L2/L3 Hijacking
3. TCP session hijacking
4. Bit-flipping attack
5. Spread spectrum RF jamming attack
6. Eavesdropping attack
*Question of the Week Aswer*
Wireless L2/L3 hijacking attacks use a narrowband RF generator to jam (interfere with) a specific transmission channel forcing users to roam to another, more usable, channel. This usable channel is the software or hardware (usually software) access point of the intruder. When the authorized user makes an association to the intruder, this is deemed a L2 hijack. Many operating systems such as Windows 2000 and Windows XP automatically perform a DHCP renewal any time they lose Layer 2 connectivity. For this reason, the intruder can install DHCP server software on the same laptop in order to give the authorized user an IP address when one is requested. This is deemed a Layer 3 hijack. The reason for the Layer 3 hijack is that once the authorized user has an IP address on the same network segment as the intruder, the intruder will be able to perform Layer 7 (application layer) attacks against the authorized user's computer.
Windows2000 and WindowsXP operationg systems. Horation Alger was right: "If you
build a better mousetrap, the world will beat a footpath to your door".
-- Stan Goodman
Qiryat Tiv'on
Israel
"When your enemy falls, do not rejoice." -- Proverbs 24:17
If a pig loses its voice, is it disgruntled?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, send a message to
steward@2rosenthals.com with the command
"unsubscribe os2-wireless_users" in the body
(omit the quotes).
For help with other commands, send a message
to steward@2rosenthals.com with the command
"help" in the body (omit the quotes).
This list is hosted by Rosenthal & Rosenthal
P.O. Box 281, Deer Park, NY 11729-0281. Non-
electronic communications related to content
contained in these messages should be directed
to the above address. (CAN-SPAM Act of 2003)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, send a message to
steward@2rosenthals.com with the command
"unsubscribe os2-wireless_users" in the body
(omit the quotes).
For help with other commands, send a message
to steward@2rosenthals.com with the command
"help" in the body (omit the quotes).
This list is hosted by Rosenthal & Rosenthal
P.O. Box 281, Deer Park, NY 11729-0281. Non-
electronic communications related to content
contained in these messages should be directed
to the above address. (CAN-SPAM Act of 2003)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
Subscribe: Feed,
Digest,
Index. Unsubscribe Mail to ListMaster |