Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Wireless networks - stumbling and security Network
MacStumbler is a tool for discovery of wireless networks. As far as I know, it's the first such tool on the Mac; if anyone knows of others, please post below. The hold up has been the non-documentation on how to talk to the AirPort card inside a Mac. The author of MacStumbler has reverse engineered some of the code in order to allow interfacing with AirPort cards.

Personally, I have begun using MacStumbler so that I know where all the wireless networks are around my campus ... so I know which classes I can be online in ... to look up course material, really!

Check the link and give feedback so that we can finally catch up to the other platforms in wireless scanning capabilities.

[Editor's note: This article has been in the submission queue for a while; I was debating the merits of posting it, given the potential for abuse. However, it also has great potential benefits for helping secure your wireless networks. For example, if you wish to prevent your network from being seen by MacStumbler (or anyone using other Windows or UNIX-based stumblers), you'll need to go to the Airport Admin Utility and enable the checkbox that reads "Create a closed network". With this box checked, your network will be invisible to MacStumbler (and, I believe, the other stumblers, but I haven't tested those).]
  • Currently 3.25 / 5
  You rated: 3 / 5 (4 votes cast)

Wireless networks - stumbling and security | 19 comments | Create New Account
Click here to return to the 'Wireless networks - stumbling and security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Or maybe not invisible
Authored by: sjonke on Jul 02, '02 10:43:48AM

Way back when I created a so-called closed network and then discovered that while Apple's software couldn't see it, the freeware java program Aiport Configurator could see the network just fine. It had a "discover networks" or "find networks" or something like that somewhere in the program and it listed my supposedly closed network. Maybe this was a bug that was fixed later, but still I don't think I'd rely on a closed network making it secure. Use 128-bit encryption regardless.

[ Reply to This | # ]
Re: Or maybe not invisible
Authored by: korben on Jul 02, '02 03:05:44PM

The airport admin utility doesn't use the same method to discover access points, and I assume the java configurator works the same way as Apple's utility. It sends ouit broadcast udp packets to detect the base station, meaning you have to be already connected to the network in order for the utility to "see" your base station. If your access point is running in closed mode, casual users won't be able to even connect to your base station in the first place, and thus it won't show up in the admin utility.

It is possible for more advanced wireless auditing programs to detect closed networks by sniffing raw 802.11b frames and watching for association requests. I believe kismet for linux or bsd-airtools has this functionality.

But you're right, you should be using WEP anyway.

[ Reply to This | # ]
Works here
Authored by: eagle_eyes on Jul 02, '02 11:13:59AM

I tried it at home with my closed encripted network and it could not see it, Tried it as work with the non closed network and it could.

[ Reply to This | # ]
Useful for surveying
Authored by: st3phen on Jul 02, '02 12:25:22PM
I have found MacStumbler useful while doing surveys for determining optimum Airport Base Station (and Avaya) access points. I can't find another application (not on a Windows laptop) that actually gives me numeric readouts of signal and noise. Imagine that! The bars on the Airport menu item are not suitable for doing a survey!

After the installation is complete, it is useful to determine level of coverage on a campus. This is important if the school has contracted for 100& 11Mb coverage.

I have told everyone else in my division about it and we all use it.

[ Reply to This | # ]
It's a tool
Authored by: mumkin on Jul 02, '02 02:34:11PM
I'm glad you overcame your reservations and posted this. MacStumbler is a very handy app for all sorts of legal uses. Unlike some other stumbling apps, it does not include tools for wep-cracking or sniffing, and is purely a network discovery tool.

Its chief feature - ie, discovering and displaying the wireless networks you can receive - is simply an improvement over the airport menu, where access points appear and disappear unheralded. Conveniently, MacStumbler also tells you what channel the AP is broadcasting on, which helps you to avoid interference if you're setting up another AP nearby. Signal strength and interference values allow you to test the effective boundaries of coverage, so that it becomes apparent whether the apartment building across the street might unintentionally have access to your network.

And it lets you know if WEP is enabled or not. Sure, the fact that an AP isn't running WEP can't be construed as an open invitation, but you can certainly interpret WEP as a big Do Not Disturb sign. Anyway, how else is one supposed to easily spot public nodes which invite free connections and broadcast an SSID to that effect?

[ Reply to This | # ]

closed network on LinkSys?
Authored by: mclbruce on Jul 02, '02 03:24:28PM

Getting a little off topic here, but does anybody know how to tell a Linksys 4-port Internet Router/WAP to make a closed network? I looked through the settings on the web based setup a while back, but I couldn't figure it out.

[ Reply to This | # ]
closed network on LinkSys?
Authored by: chris234 on Jul 02, '02 04:42:00PM

It's quite possible the LinkSys doesn't allow the creation of a "closed" network. It's not part of the 802.11 spec, seems to be more of a Lucent-ism. For what it's worth, if you want to detect a closed network, use a packet sniffer like AeroPeek and look for Probe Response packets, which will contain the SSID in the clear. Not really a security feature at all.

[ Reply to This | # ]
closed network on LinkSys?
Authored by: yack0 on Jul 09, '02 12:46:49PM

upgrade your firmware and use the new 'hide SSID' which may or may not work depending on the stumbling tool being used.

That's what linksys has to offer that's similar to this.

[ Reply to This | # ]
Of closed APs and ethics
Authored by: Anonymous on Jul 02, '02 04:08:32PM
Closed networks won't do you much against other tools. I've run some tests on our corporate network with BSD-Airtools and it found our closed network immediately, and had the correct name for it within about 30 seconds. If you're really worried about wireless security then you'll want to implement some sort of VPN on top of it. However, while WEP is insecure, it does require a certain number of packets to be captured before the key can be broken. In the case of my home network, which gets fairly heavy usage, it took about 2 weeks before I had enough packets to crunch on. The problem here of course is that the sniffing of packets is completely passive, so somebody across the street or whatever can do it without your ever knowing about it.

On ethics... A wep cracking application is a very legitimate tool. As a sysadmin responsible for security, knowing of a theoretical attack is one thing; being able to quantify the level of risk is another thing entirely, and considerably more useful. Knowing roughly how hard it will be for an attacker to gain entry to my systems is absolutely necessary to put the proper amount of defensive measures in place. Good security is risk management, nothing more. The only truly secure machine is one with no network, no power cable, turned off, locked in a bank vault style room. Making the machine usable requires some risk. My current setup will keep out the script kiddies and the medium level blackhats, but the real experts and the NSA can most likely get in. It's all about balance. For our company, the cost effectiveness of NSA resistant measures is prohibitive and our staff has determined that not taking such measures is a reasonable risk given the likelihood (or lack thereof) of our being subject to such an attack. But this analysis relies entirely on the existence of tools like BSD-Airtools. A hammer can be used for constructing a frame house or for murder; it is the responsibility of the individual to use it properly. Denying the carpenter use of the hammer because somebody *might* use it for murder is a dangerous precedent-the logical conclusion of such activity is to put everybody in a 3x3 padded cell for their own protection.

[ Reply to This | # ]
BSD-Airtools on OS X?
Authored by: hayne on Jul 03, '02 04:17:03PM

> \0\0I've run some tests on our corporate network with BSD-Airtools and it found our closed > network immediately

Do you mean that you have BSD-Airtools running on OS X (with an Airport card?) or were you running on an x86 BSD system?

[ Reply to This | # ]
BSD-Airtools on OS X?
Authored by: Anonymous on Jul 03, '02 08:32:08PM

They're working on an OS X port but as of yet it's still alpha level kernel panic stuff and only the developers are using it. I've got it running on a Dell laptop with OpenBSD 3.0, which I use for auditing the corporate space for unauthorized aps and such...

[ Reply to This | # ]
Joining Wireless Networks Illegal?
Authored by: wayneyoung on Jul 02, '02 10:36:18PM

Is it really illegal to connect to a wireless network you find floating (flying) through the air? My opinion is it is just another signal going through the air, if one can intercept that signal and do something with it, well that's too bad for the originator if he did not intend that to happen. Obviously there ARE illegal things you can do once connected, but if you get free internet access or free storage, that's great. Of course, our government made it illegal to use a radio scanner to intercept cell phone calls when people found out how insecure their calls really are. So, whose responsibility is it to secure the airwaves -- the government, or the owner of the signal? For what it is worth, I say the owner of the signal is responsible for security, just as software vendors are for the security of their software (listening MS?).

[ Reply to This | # ]
Another tool exists...
Authored by: thrash on Jul 03, '02 03:10:48AM

AP Scanner v1.3 (author Brett Gross, 2001) which runs under OS9, and according to the author, "uses the scan AppleScript included in the AirPort 1.3 distribution"..."draws a pretty little graph that shows possible interference between access points"..."whether or not the AP has encryption".

I've used it to the same effect as MacStumbler to identify networks, but it's nice to have an OSX app now.


[ Reply to This | # ]
Another tool exists...
Authored by: thrash on Jul 03, '02 03:13:02AM

oops, AP Scanner v1.0 was what I meant to type.


[ Reply to This | # ]
Not an evil hacker tool
Authored by: redwoodtree on Jul 03, '02 11:01:30AM

I'm thankful you posted this. This tool can be put to a lot of good uses. For example, at my home office every day at approximately 3pm I lose my Airport network for about 30 minutes. It's absolutely uncanny and highly I can get some visibility into what the heck goes on every day at 3pm that causes me to lose my net!

[ Reply to This | # ]
Closed != Invisible
Authored by: magill on Jul 03, '02 03:54:39PM

You are in the RF world here -- closed does NOT mean invisible.

Any frequency scanner can find your 802.11 signal... send it to a protocol converter
and tell you lots about it. [Guess what a Stumbler is -- and I have one for my iPaq, it's a very useful tool.]

All that CLOSED means is -- I have a list of MAC addresses, and if you are not on that list this base station won't talk back to you ...

Note however, that you can talk to the base station to your hearts content, in the RF world this is called JAMBING... or in Internet terms a DOS (Denial of Service) attack. Since the 802.11 world operates under Part 15 of the FCC Rules and Regs, you are SOL ... you MUST sit back and take it. 802.11 is unlicensed and a "restriction" of using "unlicensed" RF based services is that you must put up with whatever interference you get stuck with.

[ Reply to This | # ]
re: Closed != Invisible
Authored by: jasonxz on Jul 04, '02 01:47:26AM

A bit OT; Robert Cringley has an interesting article on bandwith conflicts occuring in the 2.4GHz range at

[ Reply to This | # ]
Closed != Invisible
Authored by: klieb2002 on Jul 05, '02 01:40:11PM

The above author's point is still valid, but it should be noted that access control via MAC is different from the "closed network" option of Airport. The following is from the document "Designing Airport Networks."

"The closed network option provides additional security by hiding the name of the network created by the Airport Base station."

Access control, which involves specifying which MAC address may access the wire network, is a separate feature, and may be enabled or disabled without interacting with the closed network setting.

[ Reply to This | # ]
Frequent flier's dream
Authored by: Felix on Jul 04, '02 07:14:06AM

I've been using MacStumbler since it was first listed on VersionTracker. Handiest little program in the world if you are in and out of airports every week and need to find out if there's a wireless network within range of your AirPort-equipped laptop. I've used it to find unposted, open networks in frequent-flier lounges (which I've joined during layovers). And when I've found password-protected networks in such lounges, I'm usually successful in getting the lounge attendant to give me the password so I can join the network. Holding the airline's frequent-flier card generally helps. ;-)

[ Reply to This | # ]