-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While evaluating several overlan WLAN IDS products for a Network Computing product review, I had the opportunity to examine different vendor's implementations of WLAN session containment. WLAN session containment is very similar to persistent session sniping on traditional wired IDS products, attempting to prevent a station from connecting to a protected access point. Traffic analysis for each vendor demonstrated unique characteristics in how WLAN IDS products implement session containment, making it possible to fingerprint the WLAN IDS system in use. This is especially advantageous to an attacker, as there is a significant discrepancy in the number of attacks that each WLAN IDS product can detect. A chart indicating the attacks I used and how vendors responded is available at http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164 302965 I also discovered that at least one vendor's attempt to contain a session could be bypassed by modifying wireless drivers to ignore deauthenticate and disassociate frames altogether. A patch for the Linux MADWIFI drivers is included in the full text of the article, available at http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf. Comments welcome, thanks. - -Josh - -- - -Joshua Wright jwright@xxxxxxxxxxx http://802.11ninja.net pgpkey: http://802.11ninja.net/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 Today I stumbled across the world's largest hotspot. The SSID is "linksys". -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQrrGFo/i/ArUS0pzEQL6gwCgrFy1GERI/WHmwpdPBkYrjjcACEQAn3oT ep4IL9bFREx201aS0AD+Uotm =VCKN -----END PGP SIGNATURE-----
