Airscanner sniffer for good and not evil

Lost Dog · 05-14-03, 01:40 PM

Yesterday I received my Netgear WGR614 (802.11 b/g) router and I have the MA701 (I think that is the number) CF Card. After playing with PocketWarrior and the Airscanner Mobile Sniffer I was shocked at the number of unprotected access points in my neighborhood (four of them can be accessed from my house). All the router values are at defaults (even login and password for router control).

This made me very paranoid about my new setup so I decided to ‘hack’ myself with different settings. I have done the following and it seems pretty secure:

Changed the Default SSID (I’m trying to figure out if I can disable the SSID broadcast)
Access restricted by MAC addresses
128 bit WEP
Only three static IPs are issued (two computers and my Axim) and only by MAC address
Router password changed from default ‘password’

Removing the Axim from the restricted MAC list I tried to see what I could do… So far I cannot see anything past the SSID using PocketWarrior any other snooping device.

The one thing I am concerned with is the use of packet sniffers. If I run Airscanner while connected with my Axim, even with WEP activated I can still see EVERYTHING that gets transmitted. I guess my question is at what point are the packets encrypted?

Is it:

Axim -> Airscanner sniffer -> Encryption -> Transmitted to router
Or
Axim -> Encryption -> Airscanner sniffer -> Transmitted to router
Or
Axim -> Encryption -> Transmitted to router-> Airscanner sniffer

Yes, the packet sniffer is on the same device that is doing the transmitting but it concerns me that I can still see the content of all the packets. Is this due to Airscanner reading it before it is transmitted?

Has anyone else played with this on their own systems (NOT HACKING NEIGHBORS)?

Please keep this discussion to personal security and not exploiting others.

stevenrp · 05-14-03, 02:04 PM

You mentioned that you can see 4 other networks from your house. Are you sure that you're not inadvertently scanning one of those? Make sure you give the Ax a static IP so you're sure to be scanning your network and not the nieghbors. If that's not the issue, could it be that you still have the WEP key configured on your Ax? Just a guess though, I;m not sure if that would be the reason.

aces4me · 05-14-03, 02:39 PM

The sniffer must be inside the encryption loop because WEP encrypted packet are not clear text when viewed by a wireless sniffer. That doesnt mean that those packets are safe however. There are programs that given enough packets from your wireless network(encrypted) will find your WEP key (key length is not much of an issue) and then your network is open to this person. WEP is better than nothing but not my a whole lot.

Lost Dog · 05-14-03, 02:40 PM

Yes, the Axim has a static IP so I can see in the packet where it is being transmitted and recieved.

I do have WEP configured on both the router and Axim and I suspect that the packet sniffer is picking up the packets before they are encrypted and broadcast (remember I have the packet sniffer on the same device I am accessing the router with).

If only I had a second Axim to test :D

stevenrp · 05-14-03, 03:13 PM

Quote:

Originally posted by Lost Dog
Yes, the Axim has a static IP so I can see in the packet where it is being transmitted and recieved.

I do have WEP configured on both the router and Axim and I suspect that the packet sniffer is picking up the packets before they are encrypted and broadcast (remember I have the packet sniffer on the same device I am accessing the router with).

If only I had a second Axim to test :D

Oh so this is the only wireless device you have? Your PC's are wired to the router? You could be right about the the packets being read first. But what I meant was remove the WEP key from your Ax. That would be a more real world test. If your other PC's are wired to the router, you should still see the traffic coming from them.

snowmoon · 05-14-03, 04:35 PM

It's more like...

sniffer <-> axim <-> wep <-> AP.

Any wireless device with the WEP key can see all traffic within range of the device. If you don't have the WEP you can still SEE the traffic, but the data portion will be encrypted and un-readable. With sufficient ammount of traffic WEP is crackable with a few simple programs ( sorry, none for ax yet ).

Lost Dog · 05-14-03, 05:17 PM

Quote:

Oh so this is the only wireless device you have?

Correct... At some point I will network my TiVo and another computer out in the garage but for now the Ax is my only wireless product.

Quote:

If your other PC's are wired to the router, you should still see the traffic coming from them.

My wired computer connects to the router then internet. I do not have any computer to computer or computer to Ax file sharing going on. Are you saying that even the wired traffic gets spewed out wireless?

stevenrp · 05-14-03, 07:47 PM

Quote:

Originally posted by Lost Dog
Are you saying that even the wired traffic gets spewed out wireless?

If the wired PC is talking to a wireless PC, or vice-versa, on the network, yes then the traffic is airborne.

Lost Dog · 05-14-03, 08:01 PM

Quote:

Originally posted by stevenrp
If the wired PC is talking to a wireless PC, or vice-versa, on the network, yes then the traffic is airborne.

Ah yes, that makes sense but from your other message I thought you meant it would broadcast anything that went through the wireless router (even wired internet).

In other words my wired computer is going to the wired internet and not to another wireless device... It only broadcasts what is going to something wireless...

stevenrp · 05-14-03, 08:49 PM

Sorry about that. Should've been more clear. From my test with the airscanner, the only packets that are going into the air are those bound with a destination that includes traveling wirelessly. I didn;t ever see any Internet access from a wired PC.