Undetectable APs
in [Wireless Internet]
|
From: Nemesis on 1 Aug 2010 11:36 >But how can a receiver detect an AP that is not addressing packets to >that receiver, which is what a "passive" scan implies? > An AP transmits to ALL "receivers" in range. Always. The "receiver" decides if it wants the data or not. If there is a hacker behind the receiver, he probably DOES want that data. :) []'s
From: Jeff Liebermann on 1 Aug 2010 11:54 On Sun, 1 Aug 2010 09:55:25 +0200 (CEST), starwars <nonscrivetemi(a)tatooine.homelinux.net> wrote: >Since you gave me good answers and usually do here, I will tell you. I usually ask "what are you trying to accomplish, and what do you have to work with". >Over the last year or so I have discovered at least 3 open routers >running unencrypted APs from my stand alone old pc scans using a simple usb >wifi radio and software. > >A couple times I configured the routers to give me encrypted access because >I was having alot of problems with hackers trying to break into my computer >to steal files. How do you know that hackers were trying to break into your computer and steal files? Connection attempts are common. Many laptops, PDA's, and cell phones try to connect without any user intervention. For example, my iPhone 3G PDA (cell phone disabled) will try to connect via Wi-Fi to anything that it hears when it wakes up every 15 or so minutes. >I was not trying to break into anyones computer, just wanted >free net access. It's considered good form to *ASK* the owners of the wireless access points for permission to use their access points. My batting average with asking used to be fairly good about 8-10 years ago. Then, horror stories appeared in the press about evil hackers lurking in the shadows looking for data to pilfer from the GUM (great unwashed masses). These days, my batting average is much less, especially if they're into file sharing and worried about getting caught. >They were using a program to exploit some flaw in my OS and >change the file sharing settings. I detected this and made the necessary corrections >to my system so they could not break in. Like I asked, how did you know? What program were you using? I've dealt with paranoids that think that the Windoze networking browser election or Windoze Medial Player advertisements is an attack of sorts. Programs, such as Zone Alarm can be set to provide alerts for just about anything. If you're seriously worried about attacks via wireless, I suggest you investigate using a software firewall on your computer or using double NAT plus SPI on a router behind a wireless client bridge (instead of your USB thing). >Once I got encrypted access the hackers went poof. I won't ask how you got unencrypted access. Assuming it was done properly by asking, it should have had no effect on your alleged attacks. Sorry, but you have it backwards. There are some things that can be done to an encrypted access point or router, but very little to a wireless client adapter. If you're worried, turn off peer-to-peer access in your wireless network settings on your USB device. >But then the owners of the >AP realized someone else was using their AP, since I was now listed in the >router,and the either took down the transmitter, or they someone shielded me >from being able to detect them with a simple client radio scan. More likely, they hired the neighborhood computer geek to properly secure their router. In some cases, they may have hired the Geek Squad. In extremely rare cases, they may have read the instructions that came with their wireless router. It's difficult to tell. >I was wondering how those particular APs suddenly disappeared from my scans. Most modern AP's have a feature where they don't broadcast their SSID called "SSID hiding". It's not 100% effective and can be detected: <http://www.library.cornell.edu/dlit/ds/links/cit/redrover/ssid/wp_ssid_hiding.pdf> >I guess maybe I could try to get their email address from their user and host >names and ask them why their AP is no longer there in my scans. Of course, >they may not be willing to tell me. I am using the same radio, scanner and >location. If they were on AT&T or other ISP that uses PPPoE, the login "name" is their email address. You should have recorded that when you first broke in and started making changes. If you have a directional antenna, you can possibly locate the access point. Maybe build one of these reflectors: <http://802.11junk.com/jeffl/antennas/Salad-Dish/index.html> and shove your USB dongle down the pipe to the focus. Lots of other ways to build a directional antenna. However, the best would be a USB dongle with an external RP-SMA antenna connector, and a proper directional dish or panel antenna. Be sure to shield the dongle with aluminum foil so that all the RF goes to/from the dish. >I am guessing from your reply that I have an active scanner since it >is just simple software that comes with a usb radio. The maker and model would be helpful, but it's certainly an active scanner if you're referring to the "site survey" feature. Your client adapter sends out a probe request, which all the AP's in the neighborhood reply with their SSID, MAC address, and connection info. Your client adapter also scans all 11 channels in sequence looking for AP's to connect. That's the active part. The passive part is that normal AP's beacon their SSID several times per second. You don't need a probe request to see those, which can be heard with a passive scanner. >So perhaps they are setting >their AP not to reply to my scans. Sorta. SSID hiding works by beaconing a zero length SSID in the beacons. Your client adapter doesn't know what to do with a blank SSID and therefore shows nothing. However connect and disconnect requests still contain the SSID. >I can change my mac and other usual identifying >names at will, so it's not mac/hostname filtering. As you note, MAC address filtering is nearly useless. >Some of the sophisticated software I have read about I THINK is able to >deny response to active scans based on other paramters that identify >the rogue client as a rogue client, including not have the right MAC >address, location and other parameters. True, but more commonly, SSID hiding is what is used. There are also some wireless router exploits that are blocked by the router firmware. For example, pounding on the access point with probe requests will usually cause the access point to go comatose on the assumption that it's being attacked. >I am just trying to learn and also trying to keep free access, I can't afford >the outrageous (imo) rates being charges for commercial wifi access and I bet >the stability of the payed connections isn't much better than what I get for >free. If they leave their door wide open, then >don't complain if somebody comes in to take a snooze. While prosecutions for wireless intrusions are rare and usually a waste of time, it's still not ethically or morally correct. I suggest you ask yourself how you would feel if your neighbors were borrowing your bandwidth. I did that willingly with a neighborhood LAN and ran into problems with users not knowing the difference between abuse and normal use. Instead of spending your time hacking, perhaps it would be better spent asking them for permission. Who knows... they might be friendly? -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Jeff Liebermann on 2 Aug 2010 20:40 On Mon, 2 Aug 2010 22:24:58 +0200 (CEST), George Orwell <nobody(a)mixmaster.it> wrote: >Ok yeah going to have to migrate to linux in order to use Kismet. I am >stupid when it comes to computers so it's all a chore for me. <http://www.backtrack-linux.org> Make the Live-DVD or bootable flash drive and run Kismet from there. -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 # http://802.11junk.com jeffl(a)cruzio.com # http://www.LearnByDestroying.com AE6KS
First
|
Prev
|
Pages: 1 2 3 Prev: Article: iPad wins the jerk demographic Next: NEWS: Boffins authenticate Apple 'Antennagate' |