Is there a program out in the great wide world that can detect when
people try to connect to my wireless network?
for example, if i had a neighbor (FOR EXAMPLE only) that was trying to
crack my WEP or just trying to simply connect to my wireless internet,
woudl a program be out there that would alert me?
thanks in advance, sorry if it is a dumb question...
jbraly@gmail.com wrote:
> Is there a program out in the great wide world that can detect when
> people try to connect to my wireless network?
>
> for example, if i had a neighbor (FOR EXAMPLE only) that was trying to
> crack my WEP or just trying to simply connect to my wireless internet,
> woudl a program be out there that would alert me?
>
> thanks in advance, sorry if it is a dumb question...
>
> Jazz Mann
>
Not too dumb. If they're just listening, you're totally out of luck. If
they try to connect, one possibility would be to regularly check the arp
tables on your LAN for any newcomers, although if they spoof existing
corresponding MAC and IP addresses, this would be missed.
Otherwise......??
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
>Is there a program out in the great wide world that can detect when
>people try to connect to my wireless network?
Linux, MacIntosh, Unix, or Windoze?
>for example, if i had a neighbor (FOR EXAMPLE only) that was trying to
>crack my WEP or just trying to simply connect to my wireless internet,
>woudl a program be out there that would alert me?
It won't detect a WEP cracker. That's done by sniffing your wireless
traffic and recovering the WEP key from the captured traffic. Since
that does NOT require a connection to your system, you can't detect
it. However, if they succeed in cracking your WEP key, and connect to
your system, any of the wireless intrusion detection systems should
work.
thansk for the replies guys...
Windows mostly...
not looking to catch smart guys... mostly dumb kids who will just try
to connect... is there a "for dummies" way to detect possible
connectors?
jazz mann
Jeff Liebermann wrote:
> On 3 Oct 2005 11:03:51 -0700, jbraly@gmail.com wrote:
>
> >Is there a program out in the great wide world that can detect when
> >people try to connect to my wireless network?
>
> Linux, MacIntosh, Unix, or Windoze?
>
> >for example, if i had a neighbor (FOR EXAMPLE only) that was trying to
> >crack my WEP or just trying to simply connect to my wireless internet,
> >woudl a program be out there that would alert me?
>
> It won't detect a WEP cracker. That's done by sniffing your wireless
> traffic and recovering the WEP key from the captured traffic. Since
> that does NOT require a connection to your system, you can't detect
> it. However, if they succeed in cracking your WEP key, and connect to
> your system, any of the wireless intrusion detection systems should
> work.
>
> If Windoze see:
> http://home.comcast.net/~jay.deboer/airsnare/
>
> >thanks in advance, sorry if it is a dumb question...
>
> There are no dumb questions. However, it would be nice to know what
> hardware and software you have availiable to do this.
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558
>Is there a program out in the great wide world that can detect when
>people try to connect to my wireless network?
>
>for example, if i had a neighbor (FOR EXAMPLE only) that was trying to
>crack my WEP or just trying to simply connect to my wireless internet,
>woudl a program be out there that would alert me?
>
>thanks in advance, sorry if it is a dumb question...
>
>Jazz Mann
Jeff Liebermann wrote:
....
> it. However, if they succeed in cracking your WEP key, and connect to
> your system, any of the wireless intrusion detection systems should
> work.
If they spoof both a MAC and corresponding IP address while the "real
owner" is disconnected, it'll be hard to detect an intrusion. Do you
know anything that will detect this particular situation?
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
jbraly@gmail.com wrote:
> thansk for the replies guys...
> Windows mostly...
> not looking to catch smart guys... mostly dumb kids who will just try
> to connect... is there a "for dummies" way to detect possible
> connectors?
Check the arp tables every minute or two. Easy on u*x, but probably
possible on w*ws too. I have a job, running about every minute, that
pings all legitimate hosts on my small home LAN, and reads the arp table
to check whether any changes have been made. Not entirely bomb-proof,
but any casual spoofing of existing IPs will be found, and anyone
snooping on the monitoring machine will leave arp traces.
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
> to check whether any changes have been made. Not entirely bomb-proof,
> but any casual spoofing of existing IPs will be found, and anyone
> snooping on the monitoring machine will leave arp traces.
Just out of curiosity, if there was something, what would you do next?
David Taylor wrote:
>>to check whether any changes have been made. Not entirely bomb-proof,
>>but any casual spoofing of existing IPs will be found, and anyone
>>snooping on the monitoring machine will leave arp traces.
>
>
> Just out of curiosity, if there was something, what would you do next?
1. Panic.
2. Panic.
3. Pull the wireless plug, turn off all potentially significantly
insecure (ie w*ws) machines, turn on a network monitor on my freebsd
gateway, and reenable the wireless; sit back and watch.
4. Change ssid and passphrase; try to move from wep to wpa (which, since
belkin don't seem to support it, might be problematic)
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
>David Taylor wrote:
>>>to check whether any changes have been made. Not entirely bomb-proof,
>>>but any casual spoofing of existing IPs will be found, and anyone
>>>snooping on the monitoring machine will leave arp traces.
>>
>>
>> Just out of curiosity, if there was something, what would you do next?
>
>1. Panic.
If I"m reading the docs on that AirSnare program correctly, you can
send a message to the intruder. You might get creative with the
message and point out dire consequences of continued break-ins. Of
course, if everyone does this, the bluff is called.
>David Taylor wrote:
>>>to check whether any changes have been made. Not entirely bomb-proof,
>>>but any casual spoofing of existing IPs will be found, and anyone
>>>snooping on the monitoring machine will leave arp traces.
>>
>>
>> Just out of curiosity, if there was something, what would you do next?
>
>1. Panic.
Reading more, it looks like AirSnare just uses windows messenger
service to alert the intruder. Don't most people turn that off now due
to spyware? Perhaps there's a more nefarious way to send a message.
bjs555 wrote:
>> David Taylor wrote:
>>>> to check whether any changes have been made. Not entirely bomb-proof,
>>>> but any casual spoofing of existing IPs will be found, and anyone
>>>> snooping on the monitoring machine will leave arp traces.
>>>
>>>
>>> Just out of curiosity, if there was something, what would you do next?
>>
>> 1. Panic.
>
> If I"m reading the docs on that AirSnare program correctly, you can
> send a message to the intruder. You might get creative with the
> message and point out dire consequences of continued break-ins. Of
> course, if everyone does this, the bluff is called.
Pretty sure that "windows messenger service" has to be enabled on the intruders
machine in order for AirSnare to send nasty message. Wise people disable
"windows messenger service", including bad guys. http://www.grc.com/stm/shootthemessenger.htm
bjs555 wrote:
>>David Taylor wrote:
>>
>>>>to check whether any changes have been made. Not entirely bomb-proof,
>>>>but any casual spoofing of existing IPs will be found, and anyone
>>>>snooping on the monitoring machine will leave arp traces.
>>>
>>>
>>>Just out of curiosity, if there was something, what would you do next?
>>
>>1. Panic.
>
>
> If I"m reading the docs on that AirSnare program correctly, you can
> send a message to the intruder. You might get creative with the
> message and point out dire consequences of continued break-ins. Of
> course, if everyone does this, the bluff is called.
Could well be. Things might change, but at present, I don't have a
suitable card for airsnare-like programs, hence the somewhat passive
approach. I have wondered what the current state of ping-of-death
packets is -- maybe something like this could be sent to an intruder
("abandon hope all ye who enter this network" perhaps?) or maybe ip
stacks are getting too robust???
I'm presently eyeing up ebay for a cheap suitable card. Anyone know what
chipset tp-link use?
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
On Tue, 04 Oct 2005 09:40:20 -0400, bjs555 <aaa@bbb.com> wrote:
>Reading more, it looks like AirSnare just uses windows messenger
>service to alert the intruder. Don't most people turn that off now due
>to spyware? Perhaps there's a more nefarious way to send a message.
Because it's fun to send everyone in your workgroup or domain a
message. Try it:
Start -> Run -> cmd <enter>
net send * "This is a test."
On Tue, 04 Oct 2005 10:09:13 GMT, Mike Scott
<usenet.9@spam.stopper.scottsonline.org.uk> wrote:
>Jeff Liebermann wrote:
>...
>> it. However, if they succeed in cracking your WEP key, and connect to
>> your system, any of the wireless intrusion detection systems should
>> work.
>If they spoof both a MAC and corresponding IP address while the "real
>owner" is disconnected, it'll be hard to detect an intrusion. Do you
>know anything that will detect this particular situation?
Well, think about that one for a second. If you have duplicated both
the MAC and IP address on two machines, the wireless bridge or
ethernet switch in between will be totally confused. My guess is
traffic to the two stations will come to a grinding halt or at least
become very erratic. I've seen the results of duplicated IP addresses
and basically, things don't work. In order for an attacker to take
advantage of both a borrowed IP and MAC address, they would need to
somehow remove the original owner of the MAC and IP address from the
system. That can be done by simply waiting until they turn off their
machine. Or there are active ways that might work. However, as long
as there are two identical computers on the system, they simply won't
work well. Why bother?
Such spoofing is a real danger in securing a wireless network. That's
why 802.1x authentication was implimented. With authentication, it's
insufficient to simply own the MAC addresses. One needs to also have
anything from a RADIUS login/password to an X.509 certificate to use
the system.
I do have an idea of how to detect a duplicate MAC and IP situation.
The valid wireless client probably uses DHCP to obtain their IP
address. The fake client probably uses a static IP address to assign
the same IP address. If the DHCP lease time is sufficiently short,
the lack of a DHCP lease renewal request will indicate that the fake
client is using a static IP address and is probably a hacker. This
may take a while to detect, but be sufficient to set off a warning.
Jeff Liebermann wrote:
....
>>If they spoof both a MAC and corresponding IP address while the "real
>>owner" is disconnected, it'll be hard to detect an intrusion. Do you
>>know anything that will detect this particular situation?
>
>
> Well, think about that one for a second. If you have duplicated both
> the MAC and IP address on two machines, the wireless bridge or
....
> system. That can be done by simply waiting until they turn off their
> machine. Or there are active ways that might work. However, as long
> as there are two identical computers on the system, they simply won't
> work well. Why bother?
Which is why I said <<while the "real" owner is disconnected>>. The
"bother" may simply be a possible DOS attack. IP doesn't exactly work
terribly well with duplicated IP addresses, and the symptoms can be, to
say the least, confusing. I spent a happy day or so a few years back
tracking a rogue machine down on a complex network of around 500
machines. That was *after* we twigged what had happened. Non-trivial.
> I do have an idea of how to detect a duplicate MAC and IP situation.
> The valid wireless client probably uses DHCP to obtain their IP
> address. The fake client probably uses a static IP address to assign
> the same IP address. If the DHCP lease time is sufficiently short,
> the lack of a DHCP lease renewal request will indicate that the fake
> client is using a static IP address and is probably a hacker. This
> may take a while to detect, but be sufficient to set off a warning.
With my own small network in mind, I use static assignment, so that
won't work. I'd guess the substitution of such a rogue machine is of
itself undetectable on the wire; have to wait for secondary effects
(login fails or whatever) to take place.
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
On Tue, 04 Oct 2005 17:44:00 GMT, Mike Scott
<usenet.9@spam.stopper.scottsonline.org.uk> wrote:
>Which is why I said <<while the "real" owner is disconnected>>.
Sorry. I didn't catch that. (The price of yacking on the phone while
typing replies).
>say the least, confusing. I spent a happy day or so a few years back
>tracking a rogue machine down on a complex network of around 500
>machines. That was *after* we twigged what had happened. Non-trivial.
I run into that every few months. Usually on system with lots of
static IP's or after a router shuffle. The last one was two routers
on a 5 static IP DSL line with duplicated IP's. No way to use
arpwatch or other tools to discover the duplication. Took me 3 hours
to find and isolate the culprit.
>With my own small network in mind, I use static assignment, so that
>won't work. I'd guess the substitution of such a rogue machine is of
>itself undetectable on the wire; have to wait for secondary effects
>(login fails or whatever) to take place.
Well, I've been assuming that you want a passive detection system. If
you went active and probed each machine for a "security signature"
with NMAP or something similar, you could differentiate your valid
machines from a fake. Just leave a few random IP ports open that lead
nowhere on your firewall. Maybe install some kind of auth responder
service. If a port scan of those IP's shows open ports or activity,
it's a real user. If not, it's fake. Not exactly the most
sophisticated authentication scheme, but certainly workable.
If I attempt to connect to port 137-9, or 445 on my systems, the connection
is refused (maybe you can guess why). Should a connection be accepted, I
know there is a problem. Perhaps, I also have something listening on port
15150 (or anything else) that replies to any connection attempt with an
ICMP Type 12 Code 1 and closes the connection. Further, I could have it
such that the port is changed for every attempt, and is never used again
in a predictable sequence today (or tomorrow, or next week). Or, if you
really want to be different - stroke the port using any of the OTHER 137
protocols _besides_ TCP or UDP that are acceptable in an IP packet.
In the Usenet newsgroup alt.internet.wireless, in article
<6c15k1t26l0srokakr724b5n6jo86q6c54@4ax.com>, bjs555 wrote:
>>> Just out of curiosity, if there was something, what would you do next?
>>
>> 1. Panic.
BEEEEEEEEPPPPP BEEEEEEEEPPPPP BEEEEEEEEPPPPP "Missile launch in 30 seconds"
>Reading more, it looks like AirSnare just uses windows messenger
>service to alert the intruder. Don't most people turn that off now due
>to spyware?
Less spyware than Internet spam - At work, we port shift outgoing DNS
queries (about the only UDP allowed through the firewall now) so that
there is nothing going out using ports 1025 to (say) 1075. Our upstream
can therefore just drop all inbound UDP in those ranges, so that even
if we _had_ any windoze boxes, they wouldn't see that crap. As messenger
is not an Internet standard, our non-windoze boxes ignore it anyway.
>Perhaps there's a more nefarious way to send a message.
Detecting intruders wirelessly... 
Linear Mode
