Security Basics mailing list archives

Re: Strange WLAN behavior

From: Norealenemy <norealenemy () web de>
Date: Wed, 31 Mar 2010 11:27:31 +0200

Thanks for all your comments.

In all comments and I my thoughts there is one logical problem.

I did not see my wifes laptop connected to an unknown AP. It was
connected to "MyWLAN".
But there were other unknown MAC's connected to "MyWLAN". One MAC was
sending the same packet counts as my wifes one. The packet count was
growing when my wifes laptop produces traffic and stopped when the
laptop stoped generating traffic.

I'm not so familiar with kismet and the aircrack suite, so it may be I
misunderstand what I have seen.

To claify: In kismet I selected "MyWLAN" and saw "Clients: 7". So I
pressed c for getting closer information about the clients. It looked
like this:

T MAC               Manuf      Data Crypt  Size IP Range        Sgn Nse
T 00:16:6F:B1:6B:DA Unknown     707   707   66k 0.0.0.0           0   0
F 00:04:0E:64:43:46 Unknown     543   543   57k 0.0.0.0           0   0
F 00:1B:38:68:2C:8D Unknown     229   229   24k 0.0.0.0           0   0
F 00:13:20:3B:7E:11 Unknown      90    90   14k 0.0.0.0           0   0
S 01:00:5E:00:00:FB Unknown       0     0    0B 0.0.0.0           0   0
S 01:00:5E:7F:FF:FA Unknown       0     0    0B 0.0.0.0           0   0
S 01:00:5E:00:00:16 Unknown       0     0    0B 0.0.0.0           0   0
S FF:FF:FF:FF:FF:FF Unknown       0     0    0B 0.0.0.0           0   0
S 01:00:5E:00:00:01 Unknown       0     0    0B 0.0.0.0           0   0

The top one MAC is the one of my wife's laptop the second one was the
one that was acting like my wifes one.

Like already told, it may be that I misunderstand the printout of
kismet.


Thanks Jensemann

Am Dienstag, den 30.03.2010, 18:31 -0700 schrieb Rob Thompson:

+1

Jon Janego wrote:

It sounds like yes, someone is impersonating the AP that you normally
connect to.

As far as next steps, it depends on your goal - to find the guy, or to
eliminate the problem your wife is having?  If you're just interested
in stopping your immediate problems, change the SSID of your home AP,
and then clean out the wireless connections list in your wife's PC.
By default, Windows XP will probe for all the access points you've set
up and you want to remove any reference to the "hijacked" AP.

If you're trying to kill the offending AP, on the other hand, you have
a few options.  You could purchase a second AP and essentially get in
a signal-DOS war - broadcasting from another AP with the power cranked
up and a high beacon rate; this should effectively prevent others from
connecting to it.  Or use a dedicated laptop and send continuous
deauthentication messages to the clients connected to the AP, which
will prevent people from using it.

You can also go on a warwalk using a directional antenna and kismet
(and a GPS if you want to plot it on a map), and try and find the
offending AP and unplug it (or confront the owner).

If it was up to me, I'd first try and stop the problem from affecting
my machines - by changing your home SSID, and clearing references to
the old name - and then go on a hunt to identify where it's coming
from.  Getting into deauth or DOS attacks is a bit morally/legally
grey and ultimately unsustainable.


On Tue, Mar 30, 2010 at 8:37 AM, Norealenemy <norealenemy () web de> wrote:

Hello out there,

since a couple of days my wife complained her bad wireless connection.
She said that the System (XP) often disconnects and sometimes the
connect messages says "connected to MyWLAN(insecure)" The WLAN is WPA2
protected using a very log PW including special characters.

So yesterday I had some time to play with her laptop and was wondering
as I saw that her system told me to be connected to "MyWLAN" with 54
MBits on the router she was connected with 48 MBits.

I started kismet on my laptop and was sniffing the air on my channel.
First thing I was wondering, was that MyWLAN has 7 (up to 9) Clients,
but the most strange thing was, that when I was generating traffic on
her laptop I saw the packet count growing on her and an absolute unknown
MAC address. The packet count stops on both addresses and starts again
growing when I start the ping (or anything else generating traffic)
again.

Does that mean that my wifes laptop connects to an attacker AP, that is
forwarding her packets?

- How can I find out who it is?
- What would you do next?
- Is there a way to prevent such attacks?


Thanks in advance Jensemann

--

          ,  ,                 __.   .  .
.    ,._.*-+--+-_ ._    _ ._   (__  _.|_ | _ ._ ._ *
 \/\/ [  | |  |(/,[ )  (_)[ )  .__)(_.[ )|(/,[_)[_)|
                                            |  |
 _, _, ,  _,    _, _,    _, _,   , ._,  _, _,  _, _,
'_)|.|/| |.|___|.|'_)___'_)|.|  /| |_ *'_)'_)*'_)'_)
/_.|_|.|.|_|   |_|._)   ._)|_|  .|.._)*/_./_.*/_./_.



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



-- 

           ,  ,                 __.   .  .          
.    ,._.*-+--+-_ ._    _ ._   (__  _.|_ | _ ._ ._ *
 \/\/ [  | |  |(/,[ )  (_)[ )  .__)(_.[ )|(/,[_)[_)|
                                             |  |   
 _, _, ,  _,    _, _,    _, ,    ,  ,   _,__, _, _, 
'_)|.|/| |.|___|.|'_)___'_)/|   /| /| *'_) /*'_)(_) 
/_.|_|.|.|_|   |_|._)   ._).|.  .|..|.*/_./ */_.(_) 
                                                    


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Strange WLAN behavior Norealenemy (Mar 30)
- Re: Strange WLAN behavior Jon Janego (Mar 30)
  - Re: Strange WLAN behavior Rob Thompson (Mar 31)
    - Re: Strange WLAN behavior Norealenemy (Mar 31)
  - Re: Strange WLAN behavior Adam Mooz (Mar 31)
    - Re: Strange WLAN behavior Norealenemy (Mar 31)
- Re: Strange WLAN behavior Adam Mooz (Mar 30)
  - Re: Strange WLAN behavior Jarrod Frates (Mar 31)
    - Re: Strange WLAN behavior Adam Mooz (Mar 31)
- RE: Strange WLAN behavior Murda (Mar 31)
  - RE: Strange WLAN behavior Norealenemy (Mar 31)