WISP wifi in the santa cruz mountains security question (nosyneighbors)
WISP wifi in the santa cruz mountains security question (nosyneighbors). Discuss WISP wifi in the santa cruz mountains security question (nosyneighbors), on Wireless Forums.
WISP wifi in the santa cruz mountains security question (nosyneighbors)
When I lot into my Ubiquiti WiFi radio AirOS and hit the DISCOVERY
button, I can see all my neighbors who are on the same subnet all using
the same equipment:
Neighbor 1 Nanobridge = 10.20.0.1
Neighbor 2 Nanobridge = 10.20.0.2
Neighbor 3 Nanobridge = 10.20.0.3
Neighbor 4 Nanobridge = 10.20.0.4
etc.
Can they 'sniff' the network and 'see' my traffic & vice versa?
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On 9/24/2012 7:55 PM, Johannes wrote:
> When I lot into my Ubiquiti WiFi radio AirOS and hit the DISCOVERY
> button, I can see all my neighbors who are on the same subnet all using
> the same equipment:
> Neighbor 1 Nanobridge = 10.20.0.1
> Neighbor 2 Nanobridge = 10.20.0.2
> Neighbor 3 Nanobridge = 10.20.0.3
> Neighbor 4 Nanobridge = 10.20.0.4
> etc.
>
> Can they 'sniff' the network and 'see' my traffic & vice versa?
>
There is nothing like experimenting with kismet and wireshark, and then
find out yourself what can be seen. What I do is get a notebook and
kismet capable usb and then sniff my own system. [You need to have this
notebook not connected to your lan/wan else you will be seeing packets
that an outsider without access wouldn't see.] Since you know what you
have on your network, you have a better idea of how the tools sniff.
One assumes a WISP is smart enough to provide isolation between
customers. I have stayed at motels with "free wifi" and they have no
isolation between wireless users.
Having set up DD-WRT, I am beginning to see the inadequates the standard
wifi firmware, at least on the units I have owned in the past.
Re: WISP wifi in the santa cruz mountains security question (nosy neighbors)
On Tue, 25 Sep 2012 02:55:54 +0000 (UTC), Johannes
<johannes32@yahoo.com> wrote:
>When I lot into my Ubiquiti WiFi radio AirOS and hit the DISCOVERY
>button, I can see all my neighbors who are on the same subnet all using
>the same equipment:
>Neighbor 1 Nanobridge = 10.20.0.1
>Neighbor 2 Nanobridge = 10.20.0.2
>Neighbor 3 Nanobridge = 10.20.0.3
>Neighbor 4 Nanobridge = 10.20.0.4
>etc.
>
>Can they 'sniff' the network and 'see' my traffic & vice versa?
Good question. Three related answers.
If your connection to the WISP is via WPA2-RADIUS, it can't be
sniffed. If the connection is via an unencrypted link, it can be
easily sniffed.
If the WISP has the central AP setup with "Client Isolation", so that
the various clients cannot see each other, then the neighbors can't
sniff your connection. However, if you can see their IP addresses,
that probably means that you can also see their broadcasts, which
means that "Client Isolation" is probably off.
It's not possible to sniff the traffic with the Ubiquiti NanoBridge
radio in it's present configuration. One would need a radio with
promiscuous mode.
Those Alfa Tube-U units seem like the way to go for 2.4 sniffing if you
are going to use a big *** antenna. The desktop models work fine but
aren't very rugged. It is well worth the extra $10 to get the beefier model.
Excellent receive capability. For long distance use, you might was well
get the G version. Even though it only specs out 1dB better, in practice
it really works well and you won't be getting N speed anyway over distance.
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On Mon, 24 Sep 2012 22:06:03 -0700, Jeff Liebermann wrote:
Hi Jeff,
Thanks for taking the question.
> If your connection to the WISP is via WPA2-RADIUS, it can't be sniffed.
> If the connection is via an unencrypted link, it can be easily sniffed.
My connection is WPA2-PSK (I have the password; it is the same for all
the nieghbors).
> If the WISP has the central AP setup with "Client Isolation", so that
> the various clients cannot see each other, then the neighbors can't
> sniff your connection. However, if you can see their IP addresses, that
> probably means that you can also see their broadcasts, which means that
> "Client Isolation" is probably off.
Drat. I can clearly see them in the "DISCOVERY" mode!
I can even tell who they are because I know their names and their SSIDs
are their names.
> It's not possible to sniff the traffic with the Ubiquiti NanoBridge
> radio in it's present configuration. One would need a radio with
> promiscuous mode.
Hmmm... I also have a Bullet M2. I wonder if it can be placed in
promiscuous mode.
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On 9/25/2012 9:27 PM, Johannes wrote:
> On Tue, 25 Sep 2012 00:26:50 -0700, miso wrote:
>
>> Those Alfa Tube-U units seem like the way to go for 2.4 sniffing if you
>> are going to use a big *** antenna.
>
> I have a Bullet M2 which looks exactly like those Alpha Tube-U units.
> I wonder if the Bullet M2 can be put in promiscuous mode?
>
> The antenna is no problem. They're cheap and the bullet screws directly
> onto the connector in back.
>
The chipset determines if it can be promiscuous. If you can stomach the
FCC product website, you can probably determine the chipset used. [Get
the FCC ID off the unit.]
But I believe if you are already on the network, i.e. you are seeing
these other users, then running wireshark would see the network activity
of those users.
Wireshark is kind of crappy on windows. It isn't impossible to run on
windows, but it took a bit or work. On linux, running wireshark is
trivial. You need root permission.
Actually it now comes with winPcap. Getting winPcap to work was where I
had to spend some time. Maybe now the installation is easier.
> http://www.wireshark.org/download.html
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On 9/25/2012 9:01 PM, Johannes wrote:
> On Mon, 24 Sep 2012 21:09:43 -0700, miso wrote:
>
>> There is nothing like experimenting with kismet and wireshark
>
> I'm on Linux so I will see about installing them!
>
>> One assumes a WISP is smart enough to provide isolation between
>> customers.
>
> I can log into the Ubiquiti AirOS and 'ping' or 'traceroute' from the
> radio all the neighbors.
>
> What do I look for to see if there is 'isolation'?
>
Well I think you can ping an isolated user. It isn't like they don't
exist. This is probably getting beyond my limited knowledge.
In the case of these WISPs, it is likely each user will have a router
behind their wifi, so that should provide some security. The AP
isolation of DD-WRT is more useful for simpler clients like a PC with
just windows firewall versus a router.
You can't be too secure. When I'm using wifi in public, I tend to use a
smart phone (good luck hacking a Blackberry), a tablet (Blackberry too),
or linux. I try not to use windows in public. The blackberries are FIPS
140-2 rated, good enough for "sensitive but not classified" information.
Linux generally isn't FIPS 140-2 rated unless you buy an enterprise
version. I believe it is a matter of buying expensive certificates.
Re: WISP wifi in the santa cruz mountains security question (nosy neighbors)
On Wed, 26 Sep 2012 04:26:01 +0000 (UTC), Johannes
<johannes32@yahoo.com> wrote:
>On Mon, 24 Sep 2012 22:06:03 -0700, Jeff Liebermann wrote:
>
>Hi Jeff,
>Thanks for taking the question.
>
>> If your connection to the WISP is via WPA2-RADIUS, it can't be sniffed.
>> If the connection is via an unencrypted link, it can be easily sniffed.
>My connection is WPA2-PSK (I have the password; it is the same for all
>the nieghbors).
It can be sniffed over the air. Airpcap and Wireshark on Linux work
just fine. Plenty of other utilities. See Backtrack-Linux for
everything on a live DVD.
>> If the WISP has the central AP setup with "Client Isolation", so that
>> the various clients cannot see each other, then the neighbors can't
>> sniff your connection. However, if you can see their IP addresses, that
>> probably means that you can also see their broadcasts, which means that
>> "Client Isolation" is probably off.
>Drat. I can clearly see them in the "DISCOVERY" mode!
>I can even tell who they are because I know their names and their SSIDs
>are their names.
Please tell the WISP operator that he needs to enable client isolation
on his Ubiquiti whatever. It will also save him some bandwidth as
broadcast packets will no longer end up going all over the network.
>> It's not possible to sniff the traffic with the Ubiquiti NanoBridge
>> radio in it's present configuration. One would need a radio with
>> promiscuous mode.
>
>Hmmm... I also have a Bullet M2. I wonder if it can be placed in
>promiscuous mode.
Dunno. It depends on the chipset. There's a WRT54G based remote
sniffer for Kismet that might work.
<http://www.dd-wrt.com/wiki/index.php/Kismet_Server/Drone>
<http://www.renderlab.net/projects/wrt54g/openwrt.html>
<http://www.wirelessforums.org/alt-internet-wireless/what-kismet-drone-why-cant-kismet-work-windows-my-wireless-card-25203.html#post130324>
It solves a big problem with using things like the Bullet M2 and a
high gain antenna, where you can usually only see one side of the
wireless link. However, with a suitably located (i.e. in the beam
path) remote sniffer, that's no longer an issue.
Re: WISP wifi in the santa cruz mountains security question (nosy neighbors)
On Wed, 26 Sep 2012 00:57:07 -0700, miso <miso@sushi.com> wrote:
>The chipset determines if it can be promiscuous. If you can stomach the
>FCC product website, you can probably determine the chipset used. [Get
>the FCC ID off the unit.]
This might help:
<http://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#Driver_capabilities>
There's a difference between promiscuous mode and monitor mode.
<http://airsnort.shmoo.com/faq.html#Q3>
What you want is monitor mode becaue promiscuous mode requires
associating with the access point.
The problem is that many programs, sites, and users mix up these two
modes, resulting in some confusion. I've managed to confuse them more
often than I care to admit.
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On 9/26/2012 9:56 AM, Jeff Liebermann wrote:
> On Wed, 26 Sep 2012 00:57:07 -0700, miso <miso@sushi.com> wrote:
>
>> The chipset determines if it can be promiscuous. If you can stomach the
>> FCC product website, you can probably determine the chipset used. [Get
>> the FCC ID off the unit.]
>
> This might help:
> <http://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#Driver_capabilities>
>
> There's a difference between promiscuous mode and monitor mode.
> <http://airsnort.shmoo.com/faq.html#Q3>
> What you want is monitor mode becaue promiscuous mode requires
> associating with the access point.
>
> The problem is that many programs, sites, and users mix up these two
> modes, resulting in some confusion. I've managed to confuse them more
> often than I care to admit.
>
> <http://en.wikipedia.org/wiki/Monitor_mode>
> <http://en.wikipedia.org/wiki/Promiscuous_mode>
>
> Oh yeah... welcome to the dark side.
>
But the wiki put kismet on the promiscuous page, yet kismet is supposed
to be totally passive.
So is Netstumbler using promiscuous mode, and kismet using monitor mode?
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On 9/26/2012 9:46 AM, Jeff Liebermann wrote:
> On Wed, 26 Sep 2012 04:26:01 +0000 (UTC), Johannes
> <johannes32@yahoo.com> wrote:
>
>> On Mon, 24 Sep 2012 22:06:03 -0700, Jeff Liebermann wrote:
>>
>> Hi Jeff,
>> Thanks for taking the question.
>>
>>> If your connection to the WISP is via WPA2-RADIUS, it can't be sniffed.
>>> If the connection is via an unencrypted link, it can be easily sniffed.
>
>> My connection is WPA2-PSK (I have the password; it is the same for all
>> the nieghbors).
>
> It can be sniffed over the air. Airpcap and Wireshark on Linux work
> just fine. Plenty of other utilities. See Backtrack-Linux for
> everything on a live DVD.
>
>>> If the WISP has the central AP setup with "Client Isolation", so that
>>> the various clients cannot see each other, then the neighbors can't
>>> sniff your connection. However, if you can see their IP addresses, that
>>> probably means that you can also see their broadcasts, which means that
>>> "Client Isolation" is probably off.
>
>> Drat. I can clearly see them in the "DISCOVERY" mode!
>> I can even tell who they are because I know their names and their SSIDs
>> are their names.
>
> Please tell the WISP operator that he needs to enable client isolation
> on his Ubiquiti whatever. It will also save him some bandwidth as
> broadcast packets will no longer end up going all over the network.
>
>>> It's not possible to sniff the traffic with the Ubiquiti NanoBridge
>>> radio in it's present configuration. One would need a radio with
>>> promiscuous mode.
>>
>> Hmmm... I also have a Bullet M2. I wonder if it can be placed in
>> promiscuous mode.
>
> Dunno. It depends on the chipset. There's a WRT54G based remote
> sniffer for Kismet that might work.
> <http://www.dd-wrt.com/wiki/index.php/Kismet_Server/Drone>
> <http://www.renderlab.net/projects/wrt54g/openwrt.html>
> <http://www.wirelessforums.org/alt-internet-wireless/what-kismet-drone-why-cant-kismet-work-windows-my-wireless-card-25203.html#post130324>
> It solves a big problem with using things like the Bullet M2 and a
> high gain antenna, where you can usually only see one side of the
> wireless link. However, with a suitably located (i.e. in the beam
> path) remote sniffer, that's no longer an issue.
>
For those not familiar with Kismet, you don't have to sniff on scene.
The software is designed for remote sniffers as Jeff mentioned, though I
never knew there were Kismet implementations on routers. The remote
client can be on a networked linux PC with suitable wifi adapters. You
can also have multiple wifi adapters on the same PC running kismet.
Re: WISP wifi in the santa cruz mountains security question (nosy neighbors)
On Thu, 27 Sep 2012 22:08:23 -0700, miso <miso@sushi.com> wrote:
>On 9/26/2012 9:56 AM, Jeff Liebermann wrote:
>> On Wed, 26 Sep 2012 00:57:07 -0700, miso <miso@sushi.com> wrote:
>>
>>> The chipset determines if it can be promiscuous. If you can stomach the
>>> FCC product website, you can probably determine the chipset used. [Get
>>> the FCC ID off the unit.]
>>
>> This might help:
>> <http://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#Driver_capabilities>
>>
>> There's a difference between promiscuous mode and monitor mode.
>> <http://airsnort.shmoo.com/faq.html#Q3>
>> What you want is monitor mode becaue promiscuous mode requires
>> associating with the access point.
>>
>> The problem is that many programs, sites, and users mix up these two
>> modes, resulting in some confusion. I've managed to confuse them more
>> often than I care to admit.
>>
>> <http://en.wikipedia.org/wiki/Monitor_mode>
>> <http://en.wikipedia.org/wiki/Promiscuous_mode>
>>
>> Oh yeah... welcome to the dark side.
>But the wiki put kismet on the promiscuous page, yet kismet is supposed
>to be totally passive.
>
>So is Netstumbler using promiscuous mode, and kismet using monitor mode?
Kismet is used as an example for BOTH modes in the two Wikipedia
articles. I would call it a passive sniffer and thus use monitor
mode.
This tangled mess is much like NAT and PAT. Everyone calls it NAT,
but it's really PAT. Sigh.
With promiscuous mode, the way it works is after the client (sniffer)
associates with the access point and exchanges WPA encryption keys, it
usually just listens for traffic with itself as a target MAC address
and discards traffic addressed to other MAC addresses. What
promiscuous mode does it eliminate this filter, and let the wireless
card decode everything that it hears including traffic destined for
other client radios. Because an encryption key is exchanged, all the
captured traffic is decrypted. However, that applies only to WPA-PSK
(pre-shared key) where everyone uses the same key. With WPA-RADIUS,
every clients key is different, so only the traffic to/from the client
is readable.
In monitor mode, there's no association with an access point, and no
encryption key exchange. The client radio just sucks up everything
that it hears, encrypted data packets, broadcasts, management packets,
etc. After all this stuff is captured and saved to a file, it is
decrypted using one of several utilities.
The chipset has to be able to do monitor mode. That's pretty much
everything.
However, there's a problem. To fire up kismet drone, one runs:
wl ap 0
wl disassoc
wl passive 1
wl promisc 1
./kismet_drone -f conf/kismet_drone.conf
The
wl promisc 1
line is really odd since kismet drone does not send out probes or
associate with access points. However, that has changed, which
suggests that the article is rather old. My dd-wrt wl command lacks
the promisc option, but has a:
wl monitor 1
option. It's still wrong because the command:
wl passive 1
also turns on monitor mode. Muddle, muddle, toil and trouble...
Here's another set of instructions for Kismet Drone:
<http://www.dd-wrt.com/wiki/index.php/Wrt54g_kismet_with_linux_server>
>>So is Netstumbler using promiscuous mode, and kismet using monitor mode?
> With promiscuous mode, ...
>
> In monitor mode, ...
Nothing I disagree with there, but I think the fundamental difference
between monitor mode and promiscuous is the layer at which you're pulling
information from the NIC, ie in promiscuous mode all you're getting is the
ethernet frames, in monitor mode you get all the 802.11 goodness as well.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
18:14:02 up 14 days, 16:32, 7 users, load average: 0.19, 0.54, 0.58
Qua illic est reprehendit, illic est a vindicatum
Re: WISP wifi in the santa cruz mountains security question (nosy neighbors)
On Fri, 28 Sep 2012 18:16:05 +0100, alexd <troffasky@hotmail.com>
wrote:
>Jeff Liebermann (for it is he) wrote:
>
>> On Thu, 27 Sep 2012 22:08:23 -0700, miso <miso@sushi.com> wrote:
>
>>>So is Netstumbler using promiscuous mode, and kismet using monitor mode?
>
>> With promiscuous mode, ...
>>
>> In monitor mode, ...
>
>Nothing I disagree with there, but I think the fundamental difference
>between monitor mode and promiscuous is the layer at which you're pulling
>information from the NIC, ie in promiscuous mode all you're getting is the
>ethernet frames, in monitor mode you get all the 802.11 goodness as well.
Thanks. That makes sense. When you're associated with an access
point as in promiscuous mode, the hardware takes care of encapsulating
the 802.3 ethernet packets inside 802.11 wireless packets. However,
when in monitor mode, the monitoring software has to extract the 802.3
ethernet stuff from the 802.11 wrapper. One of the joys of monitor
mode is that the card does not check for CRC errors or know how to
deal with retransmissions. On a collision or interference infested
link, the decodes will be full of errors and repetitions. The
Wireshark and Aireplay decoders have features that help, but the raw
stuff is rather ugly.
More of the same:
<http://paperlined.org/sysadmin/network/wifi_sniffing.html>
<http://www.speedguide.net/faq_in_q.php?qid=282>
<http://support.microsoft.com/kb/294818>
Re: WISP wifi in the santa cruz mountains security question (nosyneighbors)
On 9/28/2012 2:34 PM, Jeff Liebermann wrote:
> On Fri, 28 Sep 2012 18:16:05 +0100, alexd <troffasky@hotmail.com>
> wrote:
>
>> Jeff Liebermann (for it is he) wrote:
>>
>>> On Thu, 27 Sep 2012 22:08:23 -0700, miso <miso@sushi.com> wrote:
>>
>>>> So is Netstumbler using promiscuous mode, and kismet using monitor mode?
>>
>>> With promiscuous mode, ...
>>>
>>> In monitor mode, ...
>>
>> Nothing I disagree with there, but I think the fundamental difference
>> between monitor mode and promiscuous is the layer at which you're pulling
>> information from the NIC, ie in promiscuous mode all you're getting is the
>> ethernet frames, in monitor mode you get all the 802.11 goodness as well.
>
> Thanks. That makes sense. When you're associated with an access
> point as in promiscuous mode, the hardware takes care of encapsulating
> the 802.3 ethernet packets inside 802.11 wireless packets. However,
> when in monitor mode, the monitoring software has to extract the 802.3
> ethernet stuff from the 802.11 wrapper. One of the joys of monitor
> mode is that the card does not check for CRC errors or know how to
> deal with retransmissions. On a collision or interference infested
> link, the decodes will be full of errors and repetitions. The
> Wireshark and Aireplay decoders have features that help, but the raw
> stuff is rather ugly.
>
> More of the same:
> <http://paperlined.org/sysadmin/network/wifi_sniffing.html>
> <http://www.speedguide.net/faq_in_q.php?qid=282>
> <http://support.microsoft.com/kb/294818>
>
>
I assume that if I wanted to only sniff one particular user, say the
hedge fund manager in the next office over, I could park kismet on the
appropriate channel using monitor, but then filter with wireshark. That
way I'd only get the useful packets.
WISP wifi in the santa cruz mountains security question (nosyneighbors) 
Linear Mode
