Re: Strange WLAN behavior

[Adam Mooz <adam.mooz () gmail com>]

Comments inline below:

-----------------------------------------------------------------
Adam Mooz
Adam.Mooz () gmail com
http://www.AdamMooz.com

On 2010-03-31, at 5:53 AM, Norealenemy wrote:

> Am Dienstag, den 30.03.2010, 19:17 -0400 schrieb Adam Mooz:
> > Sounds like someone's doing something malicious.  There was a tool announced at Shmoocon, Airdrop-NG which could be 
> > used to deauth all targets except this one malicious node.  This forces users to look for a working AP, and find an 
> > open, free, public wifi...how convienent right?  Or join the next AP with the same SSID, and since Windows doesn't 
> > check anything beyond the SSID (i.e. does it have the same security settings as the legit AP) it will connect by 
> > deafult.  This is slightly tangential to your problem but something to consider.  
>
> Is there a way to change this behavior of M$? 

Not to my knowledge.  Just be mindful of where you're connecting to and pay attention to the popups that Windows 
offers.  In all honesty, Windows usually TRIES to warn users...at least for 10 seconds or so.

> > If you can look at this in kismet I'm going to assume you can also put your wifi card into promiscious, or monitor 
> > mode.  If you can, fire up Wireshark and look for deauthentication packets (or any other strange behavior), if you 
> > see a slew of them, or only deauth packets when your wife's laptop goes to join your network, then someone's 
> > actively trying to steal your data.  It sounds like you're in an apartment, compact-housing, or other form of 
> > high-density living which are prime targets for blackhatters, skiddies, or people just looking to otherwise ruin 
> > your day.  
>
> I put the card into promiscious mode. I also started wireshark and
> collected some packets. I will check if I will find deauth, but as
> mentioned in a few mails before (on the list) it is not the problem,
> that my wifes laptop was connected to a unknown AP. She was connected to
> "MyWLAN", but another MAC was exactly sending the same packet count when
> the laptop was generating traffic. That's the point of my fear.

In wireless you can setup multiple AP's with the same SSID to setup 'cell sites' - they do this on university networks 
all the time.  It appears as one giant network and you can walk around and only connect to one SSID, but there will be 
multiple AP.  In my University, in the common areas there can be up for 5 or 6 AP's all with the same SSID.  My laptop 
always connects to the one with the strongest signal.  My point in saying this is if someone's using the same SSID as 
you and is deauthing your AP then your wife's laptop will "fall back" to the next access point and connect 
automatically.  In this case that "fall back AP" is the rogue AP, essentially allowing the malicious user to 'override' 
your AP.  If you don't believe me then try changing the SSID to something else, see what happens.  If your wife's 
laptop still connects to an insecure version then the malicious person is probably using a form of KARMA, as previously 
mentioned in the thread.

> We are not living in compact housing. There are two 6 party houses in
> possible range but the rest is one or two family houses. As the problem
> (disconnecting an reconnect with the window-message "connected to
> MyWLAN-insecure") was not only one evening I'm pretty sure, if someone
> is playing stupid games with us, it was no war-driver; it must be a
> neighbor, what is really stupid. There are not as many possible persons,
> that could be.

In that case, if you're familiar with the neighbourhood you might want to knock on a neighbours door, it could be a 
nephew or someone new to the area that's just messing around or trying to learn some 1337 skills.  As mentioned earlier 
on the list by someone else you could walk around and watch the signal strength to localize or pinpoint the source and 
bang on their door, or call the cops...the decision is yours.  If it's just someone visiting it should clear up 
relatively soon.  That's quite a few clients connected to be in non-compact housing, my apologies I didn't mean 
anything by it.

> > Don't login to anything sensitive until you're 100% positive what's going on with this network, I'd even consider 
> > switching to a wired connection.
>
> Already done. PW are changed at all internet services (email, ebay...)
> We are using the good old cable (stupid thing using a laptop wired) and
> my wifes laptop is only used for doing some www traffic per day, so it
> looks like we have nothing noticed yet.
>
>
> br Jensemann 
>
> > -----------------------------------------------------------------
> > Adam Mooz
> > Adam.Mooz () gmail com
> > http://www.AdamMooz.com
> >
> > On 2010-03-30, at 2:58 PM, Jon Janego wrote:
> >
> > > It sounds like yes, someone is impersonating the AP that you normally
> > > connect to.
> > >
> > > As far as next steps, it depends on your goal - to find the guy, or to
> > > eliminate the problem your wife is having?  If you're just interested
> > > in stopping your immediate problems, change the SSID of your home AP,
> > > and then clean out the wireless connections list in your wife's PC.
> > > By default, Windows XP will probe for all the access points you've set
> > > up and you want to remove any reference to the "hijacked" AP.
> > >
> > > If you're trying to kill the offending AP, on the other hand, you have
> > > a few options.  You could purchase a second AP and essentially get in
> > > a signal-DOS war - broadcasting from another AP with the power cranked
> > > up and a high beacon rate; this should effectively prevent others from
> > > connecting to it.  Or use a dedicated laptop and send continuous
> > > deauthentication messages to the clients connected to the AP, which
> > > will prevent people from using it.
> > >
> > > You can also go on a warwalk using a directional antenna and kismet
> > > (and a GPS if you want to plot it on a map), and try and find the
> > > offending AP and unplug it (or confront the owner).
> > >
> > > If it was up to me, I'd first try and stop the problem from affecting
> > > my machines - by changing your home SSID, and clearing references to
> > > the old name - and then go on a hunt to identify where it's coming
> > > from.  Getting into deauth or DOS attacks is a bit morally/legally
> > > grey and ultimately unsustainable.
> > >
> > >
> > > On Tue, Mar 30, 2010 at 8:37 AM, Norealenemy <norealenemy () web de> wrote:
> > > > Hello out there,
> > > >
> > > > since a couple of days my wife complained her bad wireless connection.
> > > > She said that the System (XP) often disconnects and sometimes the
> > > > connect messages says "connected to MyWLAN(insecure)" The WLAN is WPA2
> > > > protected using a very log PW including special characters.
> > > >
> > > > So yesterday I had some time to play with her laptop and was wondering
> > > > as I saw that her system told me to be connected to "MyWLAN" with 54
> > > > MBits on the router she was connected with 48 MBits.
> > > >
> > > > I started kismet on my laptop and was sniffing the air on my channel.
> > > > First thing I was wondering, was that MyWLAN has 7 (up to 9) Clients,
> > > > but the most strange thing was, that when I was generating traffic on
> > > > her laptop I saw the packet count growing on her and an absolute unknown
> > > > MAC address. The packet count stops on both addresses and starts again
> > > > growing when I start the ping (or anything else generating traffic)
> > > > again.
> > > >
> > > > Does that mean that my wifes laptop connects to an attacker AP, that is
> > > > forwarding her packets?
> > > >
> > > > - How can I find out who it is?
> > > > - What would you do next?
> > > > - Is there a way to prevent such attacks?
> > > >
> > > >
> > > > Thanks in advance Jensemann
> > > >
> > > > --
> > > >
> > > >          ,  ,                 __.   .  .
> > > > .    ,._.*-+--+-_ ._    _ ._   (__  _.|_ | _ ._ ._ *
> > > > \/\/ [  | |  |(/,[ )  (_)[ )  .__)(_.[ )|(/,[_)[_)|
> > > >                                            |  |
> > > > _, _, ,  _,    _, _,    _, _,   , ._,  _, _,  _, _,
> > > > '_)|.|/| |.|___|.|'_)___'_)|.|  /| |_ *'_)'_)*'_)'_)
> > > > /_.|_|.|.|_|   |_|._)   ._)|_|  .|.._)*/_./_.*/_./_.
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------------------------
> > > > Securing Apache Web Server with thawte Digital Certificate
> > > > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > > > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > > > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > > > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > > > certificates.
> > > >
> > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > > ------------------------------------------------------------------------
> > >
> > > ------------------------------------------------------------------------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > > certificates.
> > >
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > ------------------------------------------------------------------------
>
>
> -- 
>
>           ,  ,                 __.   .  .          
> .    ,._.*-+--+-_ ._    _ ._   (__  _.|_ | _ ._ ._ *
> \/\/ [  | |  |(/,[ )  (_)[ )  .__)(_.[ )|(/,[_)[_)|
>                                             |  |   
> _, _, ,  _,    _, _,    _, ,    ,  ,  ._, _, . ,__, 
> '_)|.|/| |.|___|.|'_)___'_)/|   /| /| *|_ '_)*|_| /  
> /_.|_|.|.|_|   |_|._)   ._).|.  .|..|.*._)._)*  |/   
>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

Attachment: smime.p7s
Description: