Identifying Wireless Network Defense and Countermeasures
Although not defined in the 802.11 specification, most vendors
have implemented MAC-level access control to help beef up the
inherently insecure nature of 802.11. When using MAC access control,
the admin will define a list of "approved" client MAC addresses that
are allowed to connect to the access point. While this may be
feasible on small networks, it does require the administrator to
track the MAC addresses of all wireless client and can becomes a
burden in larger installations.
Besides the administrator overhead, the MAC address does not
provide a good security mechanism because it is both easily
observable and reproducible. Any of the station MACs can be observed
with a wireless sniffer, and the attacker's MAC adderss can be
changed easily in most cases. Therefore, the attacker simply needs
to monitor the network, note the clients that are connecting
successfully to the access point, and then change their MAC address
to match one of working clients.
Since it's not defined in the 802.11 spec, there is no packet
flag that says "I'm using MAC ACLs," but you can usually figure this
via deduction. If you have a correct SSID and WEP key but thet still
aren't able to associate, they may be using MAC filtering.
AiroPeek NX has an easy way to see the relationships of systems on the wireless network. Its Peer Map,
Syndication
