88717 2003-01-22 22:51 /59 rader/ Joshua Wright <Joshua.Wright@jwu.edu> Importerad: 2003-01-22 22:51 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3160> Ärende: Whitepaper - Detecting Wireless LAN MAC Address Spoofing ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I recently completed a white paper that demonstrates some techniques that can be used for detecting spoofed MAC addresses on 802.11 networks. In this paper I identify tactics that can be used to identify the use of the Wellenreiter, FakeAP and AirJack tools through anomaly analysis. Here is the abstract: "An attacker wishing to disrupt a wireless network has a wide arsenal available to them. Many of these tools rely on using a faked MAC address, masquerading as an authorized wireless access point or as an authorized client. Using these tools, an attacker can launch denial of service attacks, bypass access control mechanisms, or falsely advertise services to wireless clients. This presents unique opportunities for attacks against wireless networks that are difficult to detect, since the attacker can present himself as an authorized client by using an altered MAC address. As nearly all wireless NICs permit changing their MAC address to an arbitrary value - through vendor-supplied drivers, open-source drivers or various application programming frameworks - it is trivial for an attacker to wreak havoc on a target wireless LAN. This paper describes some of the techniques attackers utilize to disrupt wireless networks through MAC address spoofing, demonstrated with captured traffic that was generated by the AirJack, FakeAP and Wellenreiter tools. Through the analysis of these traces, the author identifies techniques that can be employed to detect applications that are using spoofed MAC addresses. With this information, wireless equipment manufacturers could implement anomaly-based intrusion detection systems capable of identifying MAC address spoofing to alert administrators of attacks against their networks." http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf Please reply with comments off-list and I will post a summary. Thanks. - -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright@jwu.edu http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPi6fw4/i/ArUS0pzEQKu3gCgqy4pO3dwQutaJ4nsji0IUiizS1EAoKdW a33isuFUCr3ilkmClJD+YEWB =TVLk -----END PGP SIGNATURE----- (88717) /Joshua Wright <Joshua.Wright@jwu.edu>/-----