Unauthorised AP Intrusion??

mopsie · 05-23-2004

I've tried a search but couldn't find anything relating to my problem.

I have reason to believe that someone has hacked in to my AP although it's WEPd. I live in a residential area where I know there are 1 or 2 other wireless users and my AP is on the top floor with good coverage. Apart from, 1) reducing my area of coverage and 2) MAC addressing the AP, is there any hardware/software available that can scan/monitor if there are local 802.11b signals?

I'm using a Senao 2511 CD+ card with a T-DSL 130 AP.

Appreciate any help...

wrzwaldo · 05-23-2004

Quote:

Originally Posted by mopsie

I've tried a search but couldn't find anything relating to my problem.

I have reason to believe that someone has hacked in to my AP although it's WEPd. I live in a residential area where I know there are 1 or 2 other wireless users and my AP is on the top floor with good coverage. Apart from, 1) reducing my area of coverage and 2) MAC addressing the AP, is there any hardware/software available that can scan/monitor if there are local 802.11b signals?

I'm using a Senao 2511 CD+ card with a T-DSL 130 AP.

Appreciate any help...

Yes there is. When you say local 802.11b signals what exactly are you looking for? If you want to watch for unauthorized access on your AP try AirSnare (assuming you are using windows). If someone is spoofing their MAC you will have to play with the authorized list accordingly. How often do you change your WEP (64 or 128)?

mopsie · 05-23-2004

Absolutely perfect - many thanks. It works great and have found an unfriendly MAC address, so I'll continue to monitor.

I change my WEP about once a month but I understand that you only need a few minutes to hack the key if you have the right software??

Appreciate your help....

audit · 05-23-2004

Quote:

Originally Posted by mopsie

I change my WEP about once a month but I understand that you only need a few minutes to hack the key if you have the right software??

Yea if your transfering GB's of data constantly over your network, and/or your using outdated stuff for your wireless that is transmitting weak keys.

Chris · 05-23-2004

Quote:

Originally Posted by audit

Yea if your transfering GB's of data constantly over your network, and/or your using outdated stuff for your wireless that is transmitting weak keys.

Or generating your key from a dictionary word.

fordem · 05-23-2004

My guess is that if you have someone with the know how to crack WEP, MAC filtering is not going to keep him out for long.

You need to be aware that AirSnare will also detect wired MACs - in fact - I picked up a couple of unknown MAC addresses on my network using both a wireless sniffer AND AirSnare that had me convinced I had an intrusion problem. I eventually tracked them down to multicast packets coming in through the DSL - the local telco had some misconfigured equipment.

What led you to thinking that there was an intrusion?

The Others · 05-24-2004

Quote:

Originally Posted by fordem

You need to be aware that AirSnare will also detect wired MACs

When I first used it, I spent ages plugging all the wired MACs into the trusted list. Make sure you do that too.

I'd suggest using a sniffer to determine what's going on.

Are you worried someone is accessing your LAN or the internet?

-edit- where in the UK are you at?

mopsie · 05-24-2004

Quote:

Originally Posted by fordem

What led you to thinking that there was an intrusion?

All the PCs on the network were shut down but my AP still showed DSL connection and activity.

Quote:

Originally Posted by The Others

-edit- where in the UK are you at?

Bournemouth

Thorn · 05-24-2004

Quote:

Originally Posted by mopsie

All the PCs on the network were shut down but my AP still showed DSL connection and activity.

That may or may not be indicative of anything. The real proof would be some syslogs.

mopsie · 05-24-2004

Quote:

Originally Posted by Thorn

That may or may not be indicative of anything. The real proof would be some syslogs.

That may or may not be true but with Airsnare indicating a strange MAC and WEB activity, I'm inclined to believe that there is an intruder. Not that I'm outraged or particularly worried about the bandwidth (unless he/she is watching streamed movies) - I'm more worried about the security of my network, but the principle of illegally abusing someone elses property still remains.This has only started to occur in the last few days and I have changed nothing on my setup - same PCs, same software, same hardware. I have changed my WEP and restarted with just my laptop and 1 wireless card - activity stopped for a couple of hours and then restarted, so I assume the WEP has been cracked.

And I've just discovered from my ISP activity log that access started to occur at 3am this morning - I know where I was then and it wasn't anything to do with computers!!

Any suggestions what to do next??.....

G8tK33per · 05-24-2004

Try spoofing your own MAC's and see if the activity has stopped. Maybe someone grabbed one of your MAC's...just a thought.

fordem · 05-24-2004

Quote:

Originally Posted by mopsie

That may or may not be true but with Airsnare indicating a strange MAC and WEB activity, I'm inclined to believe that there is an intruder. Not that I'm outraged or particularly worried about the bandwidth (unless he/she is watching streamed movies) - I'm more worried about the security of my network, but the principle of illegally abusing someone elses property still remains.This has only started to occur in the last few days and I have changed nothing on my setup - same PCs, same software, same hardware. I have changed my WEP and restarted with just my laptop and 1 wireless card - activity stopped for a couple of hours and then restarted, so I assume the WEP has been cracked.

And I've just discovered from my ISP activity log that access started to occur at 3am this morning - I know where I was then and it wasn't anything to do with computers!!

Any suggestions what to do next??.....

That does look suspicious

How much data did you transfer over the connection in the time span between changing the WEP key and the resumption of suspect activity?

As Audit pointed out an intruder would need to capture a few Gb of data before cracking the key - I don't think that's normal in the space of a couple of hours with the typical residential network.

Leave AirSnare running overnight with your AP disconnected and see if AirSnare detects anything.

wrzwaldo · 05-24-2004

Quote:

Originally Posted by mopsie

...

Any suggestions what to do next??.....

I would consider running a sniffer and see whats floating around in your area.

Chris · 05-24-2004

Quote:

Originally Posted by fordem

As Audit pointed out an intruder would need to capture a few Gb of data before cracking the key - I don't think that's normal in the space of a couple of hours with the typical residential network.

That is not entirely true. If you use a dictionary, or easily guessable word to auto-gen your WEP key, wepattack will crack it in about 15 mintues or less. I would change my key again and auto-gen using a combination of upper/lowercase letters, numbers, and special chars to generate the key.

Then see if you still note the same activity.

fordem · 05-24-2004

Quote:

Originally Posted by Chris

That is not entirely true. If you use a dictionary, or easily guessable word to auto-gen your WEP key, wepattack will crack it in about 15 mintues or less. I would change my key again and auto-gen using a combination of upper/lowercase letters, numbers, and special chars to generate the key.

Then see if you still note the same activity.

Come to think of it - you did point that out earlier. It's just that after so many years of using strong passwords - it's become second nature and I don't realise that not everyone does it.

05-23-2004	#1 (permalink)
mopsie Registered Member Join Date: May 2003 Location: UK Posts: 91	Unauthorised AP Intrusion?? I've tried a search but couldn't find anything relating to my problem. I have reason to believe that someone has hacked in to my AP although it's WEPd. I live in a residential area where I know there are 1 or 2 other wireless users and my AP is on the top floor with good coverage. Apart from, 1) reducing my area of coverage and 2) MAC addressing the AP, is there any hardware/software available that can scan/monitor if there are local 802.11b signals? I'm using a Senao 2511 CD+ card with a T-DSL 130 AP. Appreciate any help...

05-23-2004	#3 (permalink)
mopsie Registered Member Join Date: May 2003 Location: UK Posts: 91	Perfect!! Absolutely perfect - many thanks. It works great and have found an unfriendly MAC address, so I'll continue to monitor. I change my WEP about once a month but I understand that you only need a few minutes to hack the key if you have the right software?? Appreciate your help....

05-24-2004	#11 (permalink)
G8tK33per Asshole Emeritus Join Date: May 2003 Location: Goomba's Booty Boardwalk Posts: 6,121	Try spoofing your own MAC's and see if the activity has stopped. Maybe someone grabbed one of your MAC's...just a thought. __________________ "My mind is aglow with whirling, transient nodes of thought careening through a cosmic vapor of invention." Sons of Confederate Veterans

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

05-23-2004	#6 (permalink)
fordem Tropical Stumbler Join Date: Apr 2002 Posts: 575	My guess is that if you have someone with the know how to crack WEP, MAC filtering is not going to keep him out for long. You need to be aware that AirSnare will also detect wired MACs - in fact - I picked up a couple of unknown MAC addresses on my network using both a wireless sniffer AND AirSnare that had me convinced I had an intrusion problem. I eventually tracked them down to multicast packets coming in through the DSL - the local telco had some misconfigured equipment. What led you to thinking that there was an intrusion?