Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.internet.wireless
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 11-05-2006, 04:05 PM
ChrisPC
Guest
 
Posts: n/a
Default Can our wifi network be knocked out or blocked from outside?

Hello,

I have been volunteering time as the "computer/network guy" at a local
political campaign office, in an area know for bare-fisted,
dirty-tricks politics. About 2/3's of their computers use wifi to
connect to their network, and I set them up with WPA-PSK because the
had two Win2k systems. I changed the SSID from the default, but kept
broadcasting the SSID because I had trouble with some systems not being
able to connect, even after doing a manual configuration and typing in
the correct SSID.

The network worked well for a couple months. Then suddenly, just
yesterday, all wifi users reported that they could connect for a couple
seconds, but then they'd loose their wifi connection and IP address.
Their network connection might come up after a minute or two, but then
it would go down again as soon they tried to use it (to connect to an
important web portal they were using). The LAN-wired users had no
problems at all. I troubleshooted the router (the Linksys WRT54G,
forget the version number, but it is a newer one with the Cisco logo),
including resetting it and recreating all of the settings, but we had
the same problem. I ran to a store and bought a new Netgear router (I
forget the model number), set it up the same way (same SSID and WPA-PSK
key), and had the same exact problem. I changed the SSID and things
worked OK for about about 20 minutes, and then the problems returned.
After spending a couple hours on the problem, I finally got things to
work again using 128-bit WEP and another SSID, which I made sure was
never broadcast, even temporarily.

So, is it possible the someone is intentionally broadcasting a wifi
signal that disrupts our network? Is there any way that I can prove
that this is happening? Does this exploit somehow work on WPA-PSK and
not WEP (or did the perp go home for the night about the time I made
that change)? Thanks for any and all advice!

Christopher Chalfant
MCSE: Security, MCDBA


Reply With Quote
  #2 (permalink)  
Old 11-05-2006, 05:13 PM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: Can our wifi network be knocked out or blocked from outside?

"ChrisPC" <cpc@chrispc.com> hath wroth:

>I have been volunteering time as the "computer/network guy" at a local
>political campaign office, in an area know for bare-fisted,
>dirty-tricks politics. About 2/3's of their computers use wifi to
>connect to their network, and I set them up with WPA-PSK because the
>had two Win2k systems. I changed the SSID from the default, but kept
>broadcasting the SSID because I had trouble with some systems not being
>able to connect, even after doing a manual configuration and typing in
>the correct SSID.


So far, you've done everything correctly.

>The network worked well for a couple months. Then suddenly, just
>yesterday, all wifi users reported that they could connect for a couple
>seconds, but then they'd loose their wifi connection and IP address.
>Their network connection might come up after a minute or two, but then
>it would go down again as soon they tried to use it (to connect to an
>important web portal they were using). The LAN-wired users had no
>problems at all. I troubleshooted the router (the Linksys WRT54G,
>forget the version number, but it is a newer one with the Cisco logo),


Probably V5 or V6. These are marginal dogs even with the latest
firmware. However, the usual symptoms (hangs and disconnects) do not
match your description.

>including resetting it and recreating all of the settings, but we had
>the same problem.


That would have been my first suggestion.
Did you try moving the router to a different RF channel? Channel 1,
6, and 11.

>I ran to a store and bought a new Netgear router (I
>forget the model number),


Probably WG614 or WGR614.

>set it up the same way (same SSID and WPA-PSK
>key), and had the same exact problem. I changed the SSID and things
>worked OK for about about 20 minutes, and then the problems returned.
>After spending a couple hours on the problem, I finally got things to
>work again using 128-bit WEP and another SSID, which I made sure was
>never broadcast, even temporarily.


Hmmmm... I smell some hacking.

>So, is it possible the someone is intentionally broadcasting a wifi
>signal that disrupts our network?


Oh yes. It's very easy. My guess is that you have a fake AP problem.
Someone has setup a router with the same SSID as what you're using.
The problem is that they do not need to know your WPA key in order to
disrupt the system. The clients will connect (err... associate) with
either access point, and attempt to negotiate the shared WPA key. Some
will work, some will fail depending on which AP they connect.

The problem then moves to the client end, where the client software is
suppose to be smart about finding the "correct" access point. They're
not. They stay with whichever MAC address they find first. Most
client software does NOT allow selection of access point by MAC
address, only by SSID. So, the "view available networks" and such
only show the SSID and not the MAC address. I suggest you try an
active sniffer such as Netstumbler, Wi-Fi Hopper, or Kismet, which
will show MAC addresses with identical SSID's.

Don't assume that the evil competition is doing this to you. There is
also software that simulates an access point on a client computer.
Also, look around at the local laptops for "hostAP" and possibly
Microsoft's "Virtual WiFI" and such.

There are other ways of disrupting a network, but I don't want to
unload my laundry list of dirty tricks.

>Is there any way that I can prove
>that this is happening?


Yes. Your best bet is to use Kismet under Linux for passive sniffing.
Use a LiveCD such as:
| http://www.remote-exploit.org/index.php/BackTrack
| http://www.remote-exploit.org/index.php/Auditor
Make sure you have supported hardware:
| http://www.remote-exploit.org/index....itor_dev_list1
Run Kismet from the CD and see what's happening. If you find multiple
access points with your SSID, there's the probable culprit.

Another way it to enable debug trace and logging in Windoze WZC.
| http://www.microsoft.com/technet/pro.../wlansupp.mspx
| http://www.microsoft.com/technet/pro.../wifitrbl.mspx
| http://support.microsoft.com/kb/328601 (maybe)
There's a page (on MSDN??) with the interpretations of the various
error codes and gibberish generated, but I couldn't find it. The log
file will show the reason for the disconnects, reconnect attempts, and
probably offer some clues.

>Does this exploit somehow work on WPA-PSK and
>not WEP (or did the perp go home for the night about the time I made
>that change)? Thanks for any and all advice!


I'm not sure of the exact mechanism. It's really a client issue. For
example, Windoze WZC acts quite differently than Intel Proset and the
various wireless managers supplied by IBM, Toshiba, Dlink and Linksys.
Proset is amazingly smart about find the "right" access point. WZC is
amazingly stupid.

>Christopher Chalfant
>MCSE: Security, MCDBA


I probably should have asked which party you were supporting.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote
  #3 (permalink)  
Old 11-06-2006, 09:13 PM
Bill Kearney
Guest
 
Posts: n/a
Default Re: Can our wifi network be knocked out or blocked from outside?

> So, is it possible the someone is intentionally broadcasting a wifi
> signal that disrupts our network?


Yes.

> Is there any way that I can prove that this is happening?


Not easily, but you could use Kismet (a linux program) to do some network
snooping. You could walk around with a laptop running kismet and try to
narrow down where the offending device is located.

Try using an SSID that's something other than the default or an obvious
name. As in, not the candidate's name. Pick something completely
unrelated. And try different channels. There may be some other 2.4ghz
devices (like cordless phones) that are causing interference. Not much you
can do about.

Technically you can cover the walls with an RF blocking paint. And window
tinting that does the same. But it's doubtful you'd get that done in time
(or within budget).


Reply With Quote
  #4 (permalink)  
Old 11-07-2006, 03:51 PM
ChrisPC
Guest
 
Posts: n/a
Default Re: Can our wifi network be knocked out or blocked from outside?

Bill and Jeff, thank you very much for your suggestions! I'll try
Kismet or Netstumbler next time I'm at the office. BTW, their office
was "skunked" last night (the night before the election). Somehow
somebody sprayed essence d'skunk inside their office--I'm guessing via
a crack under a door. The did the same to the car of a campaign worker.


> >including resetting it and recreating all of the settings, but we had
> >the same problem.

>
> That would have been my first suggestion.
> Did you try moving the router to a different RF channel? Channel 1,
> 6, and 11.


I tried changing the channel too (from 1 to 11, I think), but that
didn't fix the problem.

> >key), and had the same exact problem. I changed the SSID and things
> >worked OK for about about 20 minutes, and then the problems returned.
> >After spending a couple hours on the problem, I finally got things to
> >work again using 128-bit WEP and another SSID, which I made sure was
> >never broadcast, even temporarily.


To be more exact (if my memory is working), these are the things I
tried....

1. Changed the SSID to just a number, but let it broadcast for a while,
10 minutes at the most. I then disabled broadcasting of the SSID, and
everything worked great for about 20 minutes, when the original
problems returned. I was using the same exact WPA-PSK settings.

2. Because the problems were appearing regardless of which router I
used, I swapped the Netgear out and the Linksys back in, changed the
SSID again (never broadcast the signal), used the same WPA-PSK
settings, but still consistently had that problem.

3. I swapped the routers again (back to Netgear), but this time I
configured it with a new, numeric SSID and used 128-bit WEP encryption
instead of WPA-PSK, and that worked OK and is working still (despite
the skunk smell).

So, I now have two theories:

A. The method used to block our wifi required knowledge of either the
SSID or the access point's MAC address. Only in step #3 did I change
both.

B. The mechanism of this attack is related to WPA. Maybe it interferes
with the key-exchange process. The would explain why people were able
to connect for a while, then lost connectivity.

If I learn more I'll post it here. Thanks again!


Reply With Quote
  #5 (permalink)  
Old 11-12-2006, 04:20 AM
C Denver
Guest
 
Posts: n/a
Default Re: Can our wifi network be knocked out or blocked from outside?


"Bill Kearney" <wkearney99@hotmail.com> wrote in message
news:36udnetDh_ESLtLYnZ2dnUVZ_tydnZ2d@speakeasy.ne t...
>> So, is it possible the someone is intentionally broadcasting a wifi
>> signal that disrupts our network?

>
> Yes.
>
>> Is there any way that I can prove that this is happening?

>
> Not easily, but you could use Kismet (a linux program) to do some network
> snooping. You could walk around with a laptop running kismet and try to
> narrow down where the offending device is located.


Man, thats freaky...I was about to say the exact same thing after reading
all of the previous posts...damn, and I was looking forward to giving
advice.

Chris, follow this guys directions, you will seriously catch this hacker if
you do ti correctly. Its old fashoined but it will work, espically with the
wifi-meter on 'Net Stumbler'.




Reply With Quote
Reply


« Extension Cables? | Wardriving in UK? »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Don't fall victim to the 'Free Wi-Fi' scam Ablang alt.internet.wireless 6 05-19-2011 02:38 PM
2nd Router or access point for wifi extension connected by network cable? fortstvincent@free.fr alt.internet.wireless 2 03-30-2007 08:26 AM
new laptop on wifi network kills existing PC's connections newfuturevintage Wireless Networking Discussion 2 01-16-2007 07:05 PM
General Wifi network adminkaycee Members Lounge 2 12-29-2003 03:19 AM


All times are GMT. The time now is 02:57 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45