Re: Wireless intrusion - WPA and TKIP cracked with ease

MikkiJayne <MikkiJayne.2yec08@xxxxxxxxxxxxxxxxxxxxxxxx> hath wroth:

I've been working in the IT industry for
10 years or so.

If you've survived that long, and are still sane, permit me to
congratulate you.

I'm not particularly experienced with wireless, just
using it at home, but I'm learning fast.

High speed learning doesn't work. In order to understand something
well, you need to tear it apart, make a huge mess disecting the
contents, analyze the entrails, and put it back in working order. It's
all part of "Learn By Destroying(tm)."

So, I have a problem with one of my neighbours hacking my wireless
connestion and downloading massive amounts of data, using a spoofed MAC.

It takes more than just a spoofed MAC address. In addition, if they
have borrowed the MAC address of one of your machines, there well be
considerable packet corruption when BOTH machines try to connect.

I have a belkin modem-router which is using WPA and TKIP/AES, and the
intruder just waltzes through the secutiry like it's not even there.

Are you sure you work in IT? Belkin has more than one model, each
with their own collection of bugs and problems. If you like
generalized and theoretical discussions, I can do that, but if you
want specific answers for your specific problem, kindly disclose the
model number of ALL your wireless hardware. Extra credit for the
firmware versions (don't say "the latest"). Then, you get to dig
through the various security mailing lists to see if there are any
unpatched security holes in your unspecified router and firmware.

I've hidden the SSID,

Waste of time. All that does is have your neighbors land on the
channel you're using because they can't see your access point. It
also breaks a few client connection managers. It might slow down a
hacker for about 30 seconds. Kismet and other utilities show hidden
SSID's.

changed all the settings,

All of them or just some of them? Any particular settings that were
changed from the default?

and he just gets straight back in.

Yep. Now, convince yourself (and me) that you actually have WPA-PSK
(or WPA-personal) setup correctly? That's not as easy as it sounds on
some of the more moronic user interfaces. For example, one ancient
version (I think it was Netgear's) had a nice list of encryption
protocols to select, but on a different page, had an encryption on/off
radio button. Users would select the correct protocol, and think they
are protected.

My guess(tm), based upon your description, that you actually have a
WEP key setup, which is easily cracked. Don't use WEP encryption.

Incidentally, WPA encryption is safe but only with long (20 char)
non-dictionary pass phrases. My guess(tm) is that you'rs is fairly
trivial and can therefore be cracked. See:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinAircrack.htm>
<http://en.wikipedia.org/wiki/Aircrack-ng>

I've even disabled wireless client access on the
router and he STILL got in :mad:

That's not what it's called. It's something like "wireless
administration access" which controls whether a wireless client can
get to the web configuration interface. There's also a "remote admin"
setting that does the same thing for users coming in from the
internet. You should probably leave both of these off, at least until
the problem is identified.

I'm less bothered about stopping him now, and more bothered about
finding out who it is so that I can set the cops on him, because this is
costing me money and a lot of time.

Are you sure you work in IT? Do you read the trade journals? How
many people have you seen busted for unlawful use of a computer via
wi-fi? There are a few but in general, unless you can prove that the
system was used to commit a more serious crime, the local D.A. doesn't
have a clue what to do with the case and generally refuses to
prosecute.

Also, please note that *YOU* are responsible for your own security. If
you know that your security is defective, and have not done due
dilligence (i.e. security scans) to verify your own security, you are
at least partly responsible for consequential damages. This has not
been tested in court and can be effectively argued by both sides.
However, it does represent a reason why the D.A. does not want to
prosecute.

If you really want to find the culprit, there are several things you
can do. One is to capture some of their traffic and try to identify
the culprit from the destinations or contents. The other is more
technical and requires a 2.4GHz directional antenna, and plenty of
understanding of RF propagation. If you know any of the local ham
radio operators, they might be able to help. If that's too much,
reduce your antenna size to that they need to have a strong signal to
connect. Walk around with your laptop running Kismet (or some sniffer
tha displays signal strength) until you find the general area.

I've reverted to a non-wireless
router in the meantime since there is nothing more I can do with the
wireless.

Well, that's fine for now, but if you've given up, why ask for help?

Does anyone know of any counter-intrusion tools that I could use to
find out what he's doing, or even counter-hack his machine? I think it's
fairly well firewalled.

Are you sure you work in IT? Counter-hacking is generally a bad idea
because of the legal complications. It's one thing for the culprit to
borrow your connection for whatever purpose. It's another for you to
destroy his machine or data by remote control.

To find out what he's doing, you use a sniffer such as Ethereal or
WireShark. Capture some traffic and look at it carefully. I also
have tools that use the router statistics to log destinations and
traffic, but I don't think they'll work on any Belkin hardware. You
can best install a sniffer probe with a seperate computer and a hub.
Install the hub (not a switch) between the modem and the router.
Connect the computer to the hub and sniff away. There are also plenty
of network traffic analyzers available.


--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.