"ChrisPC" <email@example.com> hath wroth:
>I have been volunteering time as the "computer/network guy" at a local
>political campaign office, in an area know for bare-fisted,
>dirty-tricks politics. About 2/3's of their computers use wifi to
>connect to their network, and I set them up with WPA-PSK because the
>had two Win2k systems. I changed the SSID from the default, but kept
>broadcasting the SSID because I had trouble with some systems not being
>able to connect, even after doing a manual configuration and typing in
>the correct SSID.
So far, you've done everything correctly.
>The network worked well for a couple months. Then suddenly, just
>yesterday, all wifi users reported that they could connect for a couple
>seconds, but then they'd loose their wifi connection and IP address.
>Their network connection might come up after a minute or two, but then
>it would go down again as soon they tried to use it (to connect to an
>important web portal they were using). The LAN-wired users had no
>problems at all. I troubleshooted the router (the Linksys WRT54G,
>forget the version number, but it is a newer one with the Cisco logo),
Probably V5 or V6. These are marginal dogs even with the latest
firmware. However, the usual symptoms (hangs and disconnects) do not
match your description.
>including resetting it and recreating all of the settings, but we had
>the same problem.
That would have been my first suggestion.
Did you try moving the router to a different RF channel? Channel 1,
6, and 11.
>I ran to a store and bought a new Netgear router (I
>forget the model number),
Probably WG614 or WGR614.
>set it up the same way (same SSID and WPA-PSK
>key), and had the same exact problem. I changed the SSID and things
>worked OK for about about 20 minutes, and then the problems returned.
>After spending a couple hours on the problem, I finally got things to
>work again using 128-bit WEP and another SSID, which I made sure was
>never broadcast, even temporarily.
Hmmmm... I smell some hacking.
>So, is it possible the someone is intentionally broadcasting a wifi
>signal that disrupts our network?
Oh yes. It's very easy. My guess is that you have a fake AP problem.
Someone has setup a router with the same SSID as what you're using.
The problem is that they do not need to know your WPA key in order to
disrupt the system. The clients will connect (err... associate) with
either access point, and attempt to negotiate the shared WPA key. Some
will work, some will fail depending on which AP they connect.
The problem then moves to the client end, where the client software is
suppose to be smart about finding the "correct" access point. They're
not. They stay with whichever MAC address they find first. Most
client software does NOT allow selection of access point by MAC
address, only by SSID. So, the "view available networks" and such
only show the SSID and not the MAC address. I suggest you try an
active sniffer such as Netstumbler, Wi-Fi Hopper, or Kismet, which
will show MAC addresses with identical SSID's.
Don't assume that the evil competition is doing this to you. There is
also software that simulates an access point on a client computer.
Also, look around at the local laptops for "hostAP" and possibly
Microsoft's "Virtual WiFI" and such.
There are other ways of disrupting a network, but I don't want to
unload my laundry list of dirty tricks.
>Is there any way that I can prove
>that this is happening?
Yes. Your best bet is to use Kismet under Linux for passive sniffing.
Use a LiveCD such as:
Make sure you have supported hardware:
Run Kismet from the CD and see what's happening. If you find multiple
access points with your SSID, there's the probable culprit.
Another way it to enable debug trace and logging in Windoze WZC.
There's a page (on MSDN??) with the interpretations of the various
error codes and gibberish generated, but I couldn't find it. The log
file will show the reason for the disconnects, reconnect attempts, and
probably offer some clues.
>Does this exploit somehow work on WPA-PSK and
>not WEP (or did the perp go home for the night about the time I made
>that change)? Thanks for any and all advice!
I'm not sure of the exact mechanism. It's really a client issue. For
example, Windoze WZC acts quite differently than Intel Proset and the
various wireless managers supplied by IBM, Toshiba, Dlink and Linksys.
Proset is amazingly smart about find the "right" access point. WZC is
>MCSE: Security, MCDBA
I probably should have asked which party you were supporting.
Jeff Liebermann firstname.lastname@example.org
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558