本页主题: Paul Rubens 关于AirPcap的专业评论 打印 | 加为IE收藏 | 复制链接 | 收藏主题 | 上一主题 | 下一主题

unis
级别: 管理员


精华: 1
发帖: 85
威望: 88 点
金钱: 870 RMB
贡献值: 0 点
注册时间:2008-03-05
最后登录:2015-12-11

 Paul Rubens 关于AirPcap的专业评论

管理提醒:
本帖被 admin 从 AirPcap无线网络分析技术(802.11A/B/G/N) 移动到本区(2010-01-08)
AirPcap使Windows实现Unix级的安全评估手段

作者:Paul Rubens
2007年10月18日


AirPcap Helps Unix Security Classics Do Windows
October 18, 2007
By Paul Rubens



如果你对Linux系统不是很熟悉,或者没有一台装着Linux的笔记本电脑,要想管理无线网络的话,就比较麻烦了。因为在Windows平台上,不可能实现各种形式无线包的捕获和注入,这是由windows网络堆栈的设计特性决定的。象linux平台上常用的Wireshark(以前叫Ethereal)和Aircrack-ng就不能在Windows的无线应用上发挥作用了。


If you don't have Linux skills or convenient access to a laptop with Linux on it, then managing wireless networks has always been rather tricky. That's because it's virtually impossible to do many forms of wireless packet capture or packet injection under Windows, due to the way the Windows networking stacks have been designed. Many vital features of standard Linux wireless auditing tools — like Wireshark (formerly Ethereal) and Aircrack-ng — are simply unavailable in theWindows versions.

For Windows-based security auditing then, the choice has between running these limited versions of open source tools, or choosing one of the few proprietary — and pricey — Windows wireless auditing software packages from companies like Walnut Creek, CA-based WildPackets or New Zealand-based TamoSoft.


对于Windows平台的安全分析,也就只能使用一些功能受限的开源工具了,或者使用一些价格不菲的专用工具,Windows平台的无线分析工具主要由以下公司提供:Walnut Creak,CA的WildPackets和新西兰Tamosoft.


The good news is that Cace Technologies, a company based in Davis, California, now offers an inexpensive USB wireless device called the AirPcap Tx which unlocks the power of tools like Wireshark , Kismet and Aircrack-ng so that they work under Windows with the same feature set as the Linux versions.


现在有好消息了,美国加利福尼亚州,戴维斯市的一家叫做CACE的公司设计了一种无线分析工具,这种工具价格较低,采用usb形式,名字叫做AirPcap Tx,这种工具可以与Wireshark,Kismet与Aircrack-ng完美配合,实现了其在linux平台上一样的功能。


"In terms of functionality, we can cover everything you can do in Linux or BSD, but with the advantage of running in Windows," says Loris Degioanni, Cace Technology's chief technology officer. "This is unusual, because normally you can't get raw (wireless) frames from the Windows kernel," he says.

“从功能上来说,我们能够实现Linux或BSD上的所有功能,”CACE的总工程师Loris Degioanni说,“但是因为我们的产品跑在Windows上,这就是一个不同寻常的进步,因为一般情况下我们不能从Windows内核中捕获无线帧

Cace has a good pedigree when it comes to open source software – Gerald Combs, the company's director of open source projects, is the creator of the original Ethereal packet capture and analysis project and now divides his time between the Wireshark project and Cace's commercial activities.

对于开源软件,CACE还是很有传统的,因为公司的董事长Genrald Combs,是Ethereal包捕获与分析项目的创建者,现在担任公司开源项目的领导工作。他一方面负责Wireshark项目,另一方面负责公司的商业项目。
"In making the AirPcap we have taken advantage of our experience with packet capture drivers," says Combs. "The architecture we have come up with is pretty different from the standard capture drivers in Windows. In fact we don't interface with the Windows networking stack at all – we bring a separate driver for our device. This gives us much more freedom in what the adapter does and how. Then we make an open API to interface with Wireshark and Aircrack."


“AirPcap的推出,很好地利用了我们在包捕获驱动方面的成果,”Combs说,“我们的设计结构完全不同于标准的Windows平台上的捕获驱动结构。实际上,我们的界面根本不用Windows的网络堆栈,我们给自己的捕获适配器专做了一个驱动,这样便给捕获适配器很大的发挥空间。并且,我们做了与Wireshark与Aircrack接口的开放API。


So the AirPcap lets you sniff wireless packets and capture raw 802.11 frames on Windows using open source tools -- something which otherwise can't be done. Actually, this is not quite true. It can be done using certain wireless cards, but only if you are willing to download and use unsupported and illegally obtained proprietary drivers from the likes of WildPackets. Clearly no ethical corporation would be willing to do this, but since black hat hackers no doubt would, the AirPcap at least puts those responsible for corporate security on an equal footing by enabling them to use the same Windows based tools without having to use illegally obtained drivers. (You could argue that "real" hackers would be using Linux, but Windows based tools undoubtedly appeal to script kiddies and wannabe hackers.)

这样你就可以使用开源的工具嗅探和捕获802.11源帧,这也几乎是唯一捕获无线数据捕获办法了。当然了,这样说也不太尽然。如果使用特定无线网卡,加上未获支持的非法驱动(例如Wildpackets的驱动),也可以实现无线捕获。正规的公司绝对不会这样做的,但是黑客们绝对会这样做。对于企业的安全人士来讲,AirPcap至少也使其具有了对等的地位,他们可以使用Windows下的相同工具,而不必使用非法的驱动。(你可能会说,真正的黑客是使用Linux的,但是,毫无疑问,Windows下的工具对于脚本鼠和黑客爱好者是极具吸引力的。

But the AirPCap has a trick up its sleeve that can't be performed with standard wireless cards: since most laptops have at least three USB slots, it's possible to use three AirPCaps simultaneously to monitor three channels – typically the default channels 1, 6 and 11. The data from all the USB devices can then be aggregated into a single stream for analysis by Wireshark or other applications. "Essentially you see all three streams of data as a single capture device," says Degioanni. "If you don't do this, your monitoring software has to channel hop, so you only see 30% of the traffic on a given channel."

AirPcap具备的独到的本领,这是标准的网卡无法比拟的。因为一般的笔记本电脑有三个USB口,这就可以使用三个AirPcap设备同时捕获三个通道-----一般是默认的1、6和11通道。从三个USB设备送来的数据流将被合在一起,送给Wireshark或者其他的程序进行分析。“这样你就可以象用一个捕获设备那样监控全部三个通道.”Degioanni说,“如果你不这样做,你的监控软件只能一个通道一个通道地跳,这样你就只能看到特定通道中30%的流量了”

Why would you want to monitor three channels at once? "Basic exit point detection is much more reliable without hopping," he says. "Also, there are things you can only do if you are listening on multiple channels, like troubleshooting roaming difficulties when employees are moving from one wireless network to another."


“为什么要一下使用三个通道呢?,因为基本退出点检测在不跳通道的情况下才更可靠。”他说:“而且,有些工作只能在监听多个通道的情况下才能实现,比如说当员工从一个无线网转移到另一个无线网时,我们要对这种漫游进行调试和分析。”
There's one more thing that the AirPcap device can do that makes it very unusual: it allows the creation and injection of arbitrary packets onto a network. Although this is quite easy to do under Linux using patched drivers, in Windows this can otherwise only be done in a very limited way under Windows by stealing closed source drivers and cobbling together a solution – or by using expensive proprietary software packages.

AirPcap还有一个功能,使其显得不同寻常:它可以制造并注入人工数据包。在linux里面,使用特定的驱动,注入是很简单的。在Windows下却很受限制,可以使用未知源码的驱动打补丁的方法来实现,或者购买昂贵的商业软件套装。

The big question then, is how well does the AirPcap actually work? It's supplied with versions of Wireshark and the Aircrack suite, and the packet capturing capabilities work well using both Wireshark and Airodump-ng, Aircrack's packet capture application, capturing packets from various unconnected networks for analysis. Packet injection failed to work using the version of Aircrack's injection software supplied with the device, but an updated version from Cace worked seamlessly to inject ARP requests, generating responses from an access point at least as fast an Atheros –based wireless card with patched drivers using Linux. The device is also supplied with Cain, a powerful Windows based password cracking and ARP cache poisoning tool much beloved by hackers and very useful for password security auditing purposes. Although the packet injection capabilities of the AirPcap don't work with Cain, it is still useful for many other purposes including capturing WPA connection authorizations and subjecting them to brute force or dictionary attacks (the only known WPA vulnerability) to test their strengths.

现在最大的问题是,Airpcap到底工作得怎么样。AirPcap与几个版本的Wireshark与Aircrack套装一块供应。其在Wireshark和Airodump-ng(Aircrack的抓包软件)下的抓包能力都非常好,可以从各种非连接的网络中进行抓包分析。Aircrack的注入软件失败,不能进行包注入。但是,CACE的最新注入软件却可以完美地工作:可以注入ARP请求,而且从AP产生的回应象Linux上基于Atheos的无线卡(打过驱动补丁的)一样快。AirPcap的工具套装还提供Cain,一种基于windows的强大的密码破解与Arp欺骗工具,这种工具很受黑客的钟爱,当然也是很有用的密码安全审核工具。虽然AirPcap的注入功能不适合Cain,但是在其他很多方面还是很有用的,比如:捕获WPA连接授权,然后进行暴力或者字典破解(这是目前仅知的WPA弱点),以检验其强度。

Overall, what you get in the AirPcap TX is a $298 USB device which is ideal for wireless auditing on the Windows platform using open source wireless security tools. It's certainly true that you can use the same tools under Linux with no financial outlay at all using standard wireless networking hardware, but for anyone responsible for wireless security who is unwilling or unable to use Linux, the AirPcap means that it's now perfectly viable to use Windows instead.

综上所述,AirPcap Tx就是一个298美元的usb设备,这种设备通过开源的无线安全工具可以在windows平台上进行无线分析。当然,在linux平台上,使用同样的工具加上标准的无线网络硬件,不须额外的费用,你就可以进行无线网络分析了。如果你负责无线网的安全管理,而且你不想或不会使用Linux,哪么AirPcap便是你在windows上的完美选择

www.airpcap.com.cn
by UniBrains
顶端 Posted: 2008-03-18 16:44 | [楼 主]
帖子浏览记录 版块浏览记录
中科瑞通 » AirPcap无线网络分析技术(802.11A/B/G/N)

Total 0.113864(s) query 3, Time now is:01-22 19:40, Gzip enabled 京公网安备 11010102002019号
© 冀ICP备09001162号