Finding out who's trying to penetrate your network

Between the hours of 10am and 4.50pm everyday I seem to have somebody trying
to access my wireless network. It happens evey day, and my network log
shows the same MAC address constantly all thru' the day - every second. I
don't think they're accessing the network, because its secured(?) using
WPA-PSK (somebody now tell me using WPA-PSK for security is like trying to
hold water with a sieve), and I also have a MAC address filter which only
allows (in theory) the IP camera and the wireless laptop to connect.

Is there anyway I can ever find who this MAC address belongs to?

"Bohica" <bohica@hotmail.com> writes:

> Between the hours of 10am and 4.50pm everyday I seem to have somebody trying
> to access my wireless network. It happens evey day, and my network log
> shows the same MAC address constantly all thru' the day - every second. I
> don't think they're accessing the network, because its secured(?) using
> WPA-PSK (somebody now tell me using WPA-PSK for security is like trying to
> hold water with a sieve),

It is if your passphrase is short and easy, otherwise it's good.


> and I also have a MAC address filter which only allows (in theory)
> the IP camera and the wireless laptop to connect.
>
> Is there anyway I can ever find who this MAC address belongs to?

You'd need a wireless sniffer on a laptop or pda, a directional
antenna, and your walking shoes.

Or, set up a honeypot "evil twin" access point with the same SSID as
yours, leave it open to authentication then peek on the traffic going
through to see if you can figure out who it might be based on usage
patterns.

Best Regards,
--
Todd H.
http://www.toddh.net/

On Fri, 03 Nov 2006 17:57:10 GMT, "Bohica" <bohica@hotmail.com> wrote in
<WpL2h.637$yz3.294@newsfe4-gui.ntli.net>:

>Between the hours of 10am and 4.50pm everyday I seem to have somebody trying
>to access my wireless network. It happens evey day, and my network log
>shows the same MAC address constantly all thru' the day - every second. I
>don't think they're accessing the network, because its secured(?) using
>WPA-PSK (somebody now tell me using WPA-PSK for security is like trying to
>hold water with a sieve), and I also have a MAC address filter which only
>allows (in theory) the IP camera and the wireless laptop to connect.

WPA-PSK *with* a strong passphrase is very good. If you're concerned,
change the passphrase. I suggest "dicewords" as a good way to generate
strong passphrases that are still easy to use.

MAC address filtering is essentially pointless.

>Is there anyway I can ever find who this MAC address belongs to?

Probably not without skulking around. But I personally wouldn't worry.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

"Bohica" <bohica@hotmail.com> wrote in message
news:WpL2h.637$yz3.294@newsfe4-gui.ntli.net...
> Between the hours of 10am and 4.50pm everyday I seem to have somebody
> trying to access my wireless network. It happens evey day, and my network
> log shows the same MAC address constantly all thru' the day - every
> second. I don't think they're accessing the network, because its
> secured(?) using WPA-PSK (somebody now tell me using WPA-PSK for security
> is like trying to hold water with a sieve), and I also have a MAC address
> filter which only allows (in theory) the IP camera and the wireless laptop
> to connect.
>
> Is there anyway I can ever find who this MAC address belongs to?

They may not be trying to 'penetrate' your system at all
It could be a neighbor's wireless equipped computer simply looking for a
connection. With so many wireless capable computers and the increasing range
of the protocols, I would expect your router to be overwhelmed with
connection requests.
I use my wireless router as an access point behind a wired router, and I
leave the wireless powered down when I am not actually using the wireless
capability.

Stuart

On Fri, 03 Nov 2006 18:43:01 GMT, "Stuart Miller"
<stuart_miller@shaw.ca> wrote in <V4M2h.252224$R63.221784@pd7urf1no>:

>"Bohica" <bohica@hotmail.com> wrote in message
>news:WpL2h.637$yz3.294@newsfe4-gui.ntli.net...
>> Between the hours of 10am and 4.50pm everyday I seem to have somebody
>> trying to access my wireless network. It happens evey day, and my network
>> log shows the same MAC address constantly all thru' the day - every
>> second. I don't think they're accessing the network, because its
>> secured(?) using WPA-PSK (somebody now tell me using WPA-PSK for security
>> is like trying to hold water with a sieve), and I also have a MAC address
>> filter which only allows (in theory) the IP camera and the wireless laptop
>> to connect.
>>
>> Is there anyway I can ever find who this MAC address belongs to?
>
>They may not be trying to 'penetrate' your system at all
>It could be a neighbor's wireless equipped computer simply looking for a
>connection. With so many wireless capable computers and the increasing range
>of the protocols, I would expect your router to be overwhelmed with
>connection requests.

Good point. Some of that can be avoided by setting a unique SSID. All
too many people use the same default SSID, and once a computer has been
trained to connect to (say) "linksys", it will try to connect to any
"linksys" network it finds.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

"Bohica" <bohica@hotmail.com> hath wroth:

>Between the hours of 10am and 4.50pm everyday I seem to have somebody trying
>to access my wireless network. It happens evey day, and my network log
>shows the same MAC address constantly all thru' the day - every second. I
>don't think they're accessing the network, because its secured(?) using
>WPA-PSK (somebody now tell me using WPA-PSK for security is like trying to
>hold water with a sieve), and I also have a MAC address filter which only
>allows (in theory) the IP camera and the wireless laptop to connect.
>
>Is there anyway I can ever find who this MAC address belongs to?

Yes. A passive wireless sniffer such as Kismet will show clients. I
suggest a LiveCD such as:
http://www.remote-exploit.org/index.php/BackTrack
and a supported card on a laptop.

You can also identify the manufacturer of the device from the MAC
address.
http://standards.ieee.org/regauth/oui/index.shtml
http://standards.ieee.org/regauth/oui/oui.txt
You could also do some crude direction finding with your access point
using a reflector:
http://www.freeantennas.com

However, don't assume that it's someone trying to break in. What's
probably happening is that someone has a client radio (PDA or laptop)
that is turned on all the time. I do this when I want to run updates
in the middle of the night. If they turn off their own wireless
access point, leaving the client radio turned on, the client will go
searching for any available wireless access point. My PDA (xv6700)
does this. If it can't connect to my home access point, it will
continuously try to connect to everything else it can hear including
saved SSID's that are literally miles away. I can't disable this
"feature" in my PDA, but Windoze XP WZC has a checkbox for "connect to
any available network" (or something like that). If you find the
culprit, ask them to uncheck the box.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

DNS Redirector (http://www.dnsredirector.com) software running on a
Windows machine can be configured to log the MAC, IP address, and what
websites the connected visitor is accessing.

Bohica wrote:
> Between the hours of 10am and 4.50pm everyday I seem to have somebody trying
> to access my wireless network. It happens evey day, and my network log
> shows the same MAC address constantly all thru' the day - every second. I
> don't think they're accessing the network, because its secured(?) using
> WPA-PSK (somebody now tell me using WPA-PSK for security is like trying to
> hold water with a sieve), and I also have a MAC address filter which only
> allows (in theory) the IP camera and the wireless laptop to connect.
>
> Is there anyway I can ever find who this MAC address belongs to?