Re: Undetectable APs
- From: Jeff Liebermann <jeffl@xxxxxxxxxx>
- Date: Sun, 01 Aug 2010 08:54:55 -0700
On Sun, 1 Aug 2010 09:55:25 +0200 (CEST), starwars
<nonscrivetemi@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Since you gave me good answers and usually do here, I will tell you.
I usually ask "what are you trying to accomplish, and what do you have
to work with".
Over the last year or so I have discovered at least 3 open routers
running unencrypted APs from my stand alone old pc scans using a simple usb
wifi radio and software.
A couple times I configured the routers to give me encrypted access because
I was having alot of problems with hackers trying to break into my computer
to steal files.
How do you know that hackers were trying to break into your computer
and steal files? Connection attempts are common. Many laptops,
PDA's, and cell phones try to connect without any user intervention.
For example, my iPhone 3G PDA (cell phone disabled) will try to
connect via Wi-Fi to anything that it hears when it wakes up every 15
or so minutes.
I was not trying to break into anyones computer, just wanted
free net access.
It's considered good form to *ASK* the owners of the wireless access
points for permission to use their access points. My batting average
with asking used to be fairly good about 8-10 years ago. Then, horror
stories appeared in the press about evil hackers lurking in the
shadows looking for data to pilfer from the GUM (great unwashed
masses). These days, my batting average is much less, especially if
they're into file sharing and worried about getting caught.
They were using a program to exploit some flaw in my OS and
change the file sharing settings. I detected this and made the necessary corrections
to my system so they could not break in.
Like I asked, how did you know? What program were you using? I've
dealt with paranoids that think that the Windoze networking browser
election or Windoze Medial Player advertisements is an attack of
sorts. Programs, such as Zone Alarm can be set to provide alerts for
just about anything.
If you're seriously worried about attacks via wireless, I suggest you
investigate using a software firewall on your computer or using double
NAT plus SPI on a router behind a wireless client bridge (instead of
your USB thing).
Once I got encrypted access the hackers went poof.
I won't ask how you got unencrypted access. Assuming it was done
properly by asking, it should have had no effect on your alleged
attacks. Sorry, but you have it backwards. There are some things
that can be done to an encrypted access point or router, but very
little to a wireless client adapter. If you're worried, turn off
peer-to-peer access in your wireless network settings on your USB
device.
But then the owners of the
AP realized someone else was using their AP, since I was now listed in the
router,and the either took down the transmitter, or they someone shielded me
from being able to detect them with a simple client radio scan.
More likely, they hired the neighborhood computer geek to properly
secure their router. In some cases, they may have hired the Geek
Squad. In extremely rare cases, they may have read the instructions
that came with their wireless router. It's difficult to tell.
I was wondering how those particular APs suddenly disappeared from my scans.
Most modern AP's have a feature where they don't broadcast their SSID
called "SSID hiding". It's not 100% effective and can be detected:
<http://www.library.cornell.edu/dlit/ds/links/cit/redrover/ssid/wp_ssid_hiding.pdf>
I guess maybe I could try to get their email address from their user and host
names and ask them why their AP is no longer there in my scans. Of course,
they may not be willing to tell me. I am using the same radio, scanner and
location.
If they were on AT&T or other ISP that uses PPPoE, the login "name" is
their email address. You should have recorded that when you first
broke in and started making changes. If you have a directional
antenna, you can possibly locate the access point. Maybe build one of
these reflectors:
<http://802.11junk.com/jeffl/antennas/Salad-Dish/index.html>
and shove your USB dongle down the pipe to the focus. Lots of other
ways to build a directional antenna. However, the best would be a USB
dongle with an external RP-SMA antenna connector, and a proper
directional dish or panel antenna. Be sure to shield the dongle with
aluminum foil so that all the RF goes to/from the dish.
I am guessing from your reply that I have an active scanner since it
is just simple software that comes with a usb radio.
The maker and model would be helpful, but it's certainly an active
scanner if you're referring to the "site survey" feature. Your client
adapter sends out a probe request, which all the AP's in the
neighborhood reply with their SSID, MAC address, and connection info.
Your client adapter also scans all 11 channels in sequence looking for
AP's to connect. That's the active part. The passive part is that
normal AP's beacon their SSID several times per second. You don't
need a probe request to see those, which can be heard with a passive
scanner.
So perhaps they are setting
their AP not to reply to my scans.
Sorta. SSID hiding works by beaconing a zero length SSID in the
beacons. Your client adapter doesn't know what to do with a blank
SSID and therefore shows nothing. However connect and disconnect
requests still contain the SSID.
I can change my mac and other usual identifying
names at will, so it's not mac/hostname filtering.
As you note, MAC address filtering is nearly useless.
Some of the sophisticated software I have read about I THINK is able to
deny response to active scans based on other paramters that identify
the rogue client as a rogue client, including not have the right MAC
address, location and other parameters.
True, but more commonly, SSID hiding is what is used. There are also
some wireless router exploits that are blocked by the router firmware.
For example, pounding on the access point with probe requests will
usually cause the access point to go comatose on the assumption that
it's being attacked.
I am just trying to learn and also trying to keep free access, I can't afford
the outrageous (imo) rates being charges for commercial wifi access and I bet
the stability of the payed connections isn't much better than what I get for
free. If they leave their door wide open, then
don't complain if somebody comes in to take a snooze.
While prosecutions for wireless intrusions are rare and usually a
waste of time, it's still not ethically or morally correct. I suggest
you ask yourself how you would feel if your neighbors were borrowing
your bandwidth. I did that willingly with a neighborhood LAN and ran
into problems with users not knowing the difference between abuse and
normal use. Instead of spending your time hacking, perhaps it would
be better spent asking them for permission. Who knows... they might
be friendly?
--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.
- Prev by Date: Re: Undetectable APs
- Next by Date: Re: Undetectable APs
- Previous by thread: Re: Undetectable APs
- Next by thread: Re: Undetectable APs
- Index(es):
Relevant Pages
|
