# How to detect someone being in promiscouss mode (in wlan)?

## stolar

Hello,

Generally in am very much interested in potential possibilities (if actually any) in noticing that someone has set his wireless network card into monitor mode, is collecting IVs from a nearby APs, injecting packets, etc...I would be grateful for any suggestions, links concerning also the hardware, electronic approach to the problem if for example doing this via software would be extremely difficult or even impossible.

----------

## merlijn

Correct me if I'm wrong, but I don't think there is any possibility to keep track of such things (well apart from injection maybe). Wireless networking is just very prone to security breaches without proper encryption, all the data will fly through the air, and can be collected by anybody within reach of the AP (and near the wireless client if you want to capture those packets as well). Injection could possibly be made difficult by making a rule inside the configuration that a client can only do 20 requests anonymously, and if it tries any more without being connected to the AP ban it for 2 minutes. 20 requests should be enough to get some ARP packets back and forth and get dhcp working I guess. Note that this will make injection difficult, not impossible!

Anyway for proper security you need to use something like wpa2 enterprise or 801.X with ttls, and hide your AP from discovery.

Hope this answers your question a little bit.

----------

## stolar

Thank You merlijn

To some extent that is exactly what I wanted to know (although I still believe that there is at least in theory or so far from the physical point of view a possibility to detect also the passive IVs collection using only airodump).

 *merlijn wrote:*   

> Injection could possibly be made difficult by making a rule inside the configuration that a client can only do 20 requests anonymously, and if it tries any more without being connected to the AP ban it for 2 minutes. 20 requests should be enough to get some ARP packets back and forth and get dhcp working I guess. Note that this will make injection difficult, not impossible!

 

Since so far I am only about to buy a wireless router but have naever done this before, could You please specify whether You are talking about a router feature or it can be done by software?

 *merlijn wrote:*   

> Anyway for proper security you need to use something like wpa2 enterprise or 801.X with ttls, and hide your AP from discovery.
> 
> 

 

By mentioning ttls You mean to set the ttl for 1 to prevent someone routing my signal?Or maybe it should be some other fixed number and then to monitor those who have it different? Can I using this technique prevent someone from even being connecting to my network?

----------

## merlijn

 *stolar wrote:*   

> 
> 
> To some extent that is exactly what I wanted to know (although I still believe that there is at least in theory or so far from the physical point of view a possibility to detect also the passive IVs collection using only airodump).
> 
> 

 

Well the only theory I could think of to detect passive IV collection would be to monitor the entire wireless range with antenna's. I believe when some device is connected to an AP, the link quality will drop within about 3-5 feet from the laptop. I remember having learned something about this in school, but I can't remember the english words to describe it  :Very Happy: . However, when you want to start monitoring this, you might be better of with a plain old wired network.

 *stolar wrote:*   

> 
> 
> Since so far I am only about to buy a wireless router but have naever done this before, could You please specify whether You are talking about a router feature or it can be done by software?
> 
> 

 

It should be possible by software, probably iptables can do it. I have no idea if any router is capable of such things, I just have never tried (I'm pretty sure I am the only one playing with the wireless networks in my neighbourhood   :Laughing:  ).

 *stolar wrote:*   

> 
> 
> By mentioning ttls You mean to set the ttl for 1 to prevent someone routing my signal?Or maybe it should be some other fixed number and then to monitor those who have it different? Can I using this technique prevent someone from even being connecting to my network?
> 
> 

 

TTLS is an authentication protocol, and has nothing to do with the time-to-live. Setting the time-to-live to such a small value will probably make the network unusable and will have the effect of many dropped packages on heavy load.

Cheers,

----------

## stolar

Thank You merlijn once again:)

Especially for the last part, I shall have a closer look on this stuff concerning iptables and TTLS, I guess that so far I am at a good path. 

 *merlijn wrote:*   

>  I remember having learned something about this in school, but I can't remember the english words to describe it . 
> 
> 

 

The things You wrote about this are really interesting. I will try to get to know about it a bit more...but if You happen somehow to have some links, books titles to this stuff (even not in english)I would be very grateful since in fact I am an electronics and telecommunications student, but so far haven't heard about something like that:( or at least I haven't associated some more general antenna property to this particular problem. I am hoping for more speciffic wlan (or at least generally microwave) antennas course in future(there should be one next semester;)... :Smile: 

best regards

----------

## NeddySeagoon

stolar,

Wireless is inherently insecure as anyone can receive it without being detected. The saving grace is that they must be relatively close.

Anyone doing injection can be detected by the traffic they cause on your AP.

There are really two schools of thought to securing wireless networking :-

1. Don't bother - secure the traffic they carry instead. e.g. Use ssh or VPN.

2. Send the traffic in the clear and do the encryption at the wireless level 

3. For the paranoid - do both.

With 1) anyone can connect to your WLAN and use your bandwidth. That may or may not be a problem.

Students downloading porn are just a nusance. Spammers using your IP for sending emails will get you black listed very quickly.

With 2) you are probably lulling yourself into a false sense of security. When these security protocols are compromised, its difficult to update your wireless equipment to address the issue.

I'm in favour of 3)  Do enough Wireless encryption to make these casual attackers find somewhere easier but don't trust them with your data.

----------

## GNUtoo

does your router run linux?

if yes you can install http://www.snort-wireless.org/

i think that kismet can detect also people that are "probing but never participating" but i don't think you can do anything with kismet to prevent the attack to happend

----------

