Slashdot Mirror
Ask Slashdot: Dealing With an Advanced Wi-Fi Leech?
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
And punch him in the nose.
Use a VPN, and firewall off all access except the VPN connection.
WPS works by giving out your WPA keys, so if they've gotten in once through WPS, they will continue to have access.
You can try turning that on with Radius authentication or any authentication. That can keep the leech from your network. An evil twin setup could be a dangerous thing. Instead of buying a directional antenna yourself, you can call authorities and let them use one of their own!
UTP
Yes, I'm left. You have a problem with that?
Setup squid and redirect all web traffic through it. Replace all images on machines that are not yours with goatse.
You can give them satellite images of the house of the person that stole your identity, and they won't drive over for that.
So for something involving log files and such? Not a chance.
You should redirect all network traffic to goatse for a week, and just use a 3G hotspot while your normal one kills the thief's eyes.
My mom says I'm cool.
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
...I think that means he's consenting to letting you administrate his system. I suggest you do so.
Log in to the Evil Twin network. Start a bunch of illegal torrents and "accidentally" alert the appropriate parties by IP address. Some appropriate in-theater movies and the MPAA would be a good start.
//TODO: Think of witty sig statement
So then he sets his MAC address to one on the allowed list. Not exactly a tough thing to do.
Get your neighbors together, form a lynch mob.
You can download utilities to show the strength of signals on your laptop or other portable device. Simply walking around the neighborhood with the laptop will give you a darn good idea where it originates. A box of matches is the only other tool you will need.
The first thing would obviously be MAC whitelisting on the router, though if he is smart enough, he would just spoof his MAC to one of the ones on your network, so its unlikely it would stop him. Depending on where you need your wireless router, have you considered turning down the radio strength and putting the router in an area where it covers where you want to use it without the WiFi signal going too far outside the bounds of your house?
Doubt that would work. The leecher has already demonstrated a knowledge of layer-2 attacks against 802.11, I doubt limiting your DHCP scope is going to stop them. They'll just null handshake one of your devices off the WLAN.
Lets hope this article is just a marketing scheme. Anyway, in case it is genuine: Somebody has been freeloading, so what? You have got two options: 1) upgrade your security. double up encryption with MAC authorization. Hide your SSID. Maybe even going to digital certificates.Use only encrypted communications protocols. Many other options. Many time invested. 2) Setup a honeypot. Something open or better yet with poor security. Let him break, monitor the activity, eventually you will get a his personal data. Then decide on the course of action. Cheers
-Reduce transmit power
-Move or buy a directional antenna
Have time on your hands?
http://www.ex-parrot.com/~pete/upside-down-ternet.html
So a fix that does not work is what you are suggesting?
You do know that changing you MAC address is not hard, right?
If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.
Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.
The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.
At least it slows him down. He has to find and grab an accepted MAC, and you'll know he's trying to connect as soon as you have a collision on the DHCP.
You could try leaving the access point open and partitioning it with an ipsec segment. Deny any other connection attempts to the interface. Otherwise just hardwire it and be done with it. Wireless will never be secure. You'll just end up fighting a war of attrition, and that 16yo hax0r has much more free time than you do.
can't remember of the top of my head, but i've seen some devices act very flaky or not work with the MAC filtering enabled. and then i have it set up where my inlaws and I have the same SSID and password so that visiting each other's networks is very easy
You're giving him cancer, he's using some of your wifi. Just segregate your personal network from the wifi network and see if you have QoS options to limit how much you share. Can't we all just get along? ;)
Doubt it would even slow him down. Some of the semi-automated leecher tools do this automatically already.
On my Android phone, it will detect the closest Wifi signals and you may be able to pinpoint where exactly this evil twin is. A directional antenna may help, but without knowing exactly where to direct it to, you may be aiding the leech. You can try disabling SSID broadcast and reducing transmit power.
No one will trouble themselves this much just to avoid paying a monthly fee and just by the fact they're knowledgable in these means they've spent a lot of time online already. My guess is that this individual is conducting illegal activities through yours and your neighbor's connections, so you or your neighbors may get a visit from law enforcement pretty soon.
If computers were people, I'd be a misanthrope.
...but only if it comes with a cool pings-like-the-motion-detectors-in-Aliens handset, as where's the fun in not having that?
I wish I had a kryptonite cross, because then you could keep Dracula and Superman away.
get a yagi antenna - it's a good excuse to get one ;)
if i have a device not work for some reason and i see an IP conflict then i'll know right away
my wife is always on her iphone on the wifi. the kids are always streaming something
Do i really have to say it? WPA2, 63 characters pwd.
Wouldn't a leech just look for an open access point? One with a fast connection would be a bonus.
Your interloper would seem to be doing something more nefarious. Why does a simple leech need an evil twin?
Is your local constabulary at all competent in this sort of matters, or are they the kind that go around wardriving for open access points? Because it's gonna suck to try to explain the problem if they don't have a clue, but something's up, and to me it sounds like something leaning toward the criminal.
I think I'd get the directional antenna. Maybe you're dealing with the neighbor's 12 year old, so just alerting the parents could do the trick. If it's your local psycho, that's another story.
I am not a crackpot.
To FBI surveillance van.
i would, lock everything down. starting with wpa2 with a really long random string, I would even change the wireless network SSID to a random string.
(part of the crypto use the ssid in the hash)
I would add, mac address auth, change all my DHCP settings. and even hide my network.
just to start, off the top of my head....
-Nex6
If any attacker goes through the effort to crack wpa1/ TKIP, a MAC filter will certainly be an effective deterrent - or not
If you find him, give him props and buy him a beer and ask him to share how he's doing what he's doing with you. Sounds like some pretty cool shit.
-1 Uncomfortable Truth
start knocking on doors and asking your neighbors if they would mind terribly if you spoke with their 15 year old son for a few minutes, because you've determined he's been hacking your wifi. Eventually, you'll hit the right house. For the wrong houses, act confused and say you must have miscalculated by a house or two, and that you're sorry. Bring cookies to show you're not an ass, though.
Lock incoming connections down by MAC address and disable your SSID. This will probably make them go away. Also, run WPA2+AES and pick a longish WIFI key.
If you have an ASUS Dark Knight router you can setup multiple SSIDs (guest networks) that disconnect every 60 seconds and name them "StopStealingMyWifi". This way you real SSID is hidden and your multiple guest networks are visible, but are unusable. You can also set hours of operations for your radios on the ASUS and turn off your radios at night and when you are not home. Lastly, if you are running dual band, turn off the 2.4 Ghz and run on the 5Ghz band. The 5Ghz signal travels poorly outside your home. WIFI is tough to secure with all of the WIFI hacking tools, but get a good router and rotate shield frequencies and should go away.
Lastly, here is an article on the subject.... this article disagrees with me on disabling your SSID and I am sure others will have an opinion....
http://www.wikihow.com/Secure-Your-Wireless-Home-Network
MAC spoofing is very trivial. It would not stop someone doing these types of attacks on wireless networks.
If someone had an extension cord plugged into my outside outlet and it ran to their house to steal power, I would walk over, knock on the door, and ask them to stop it. And yes, I would also unplug it.
If you have the means to determine where they are it's worth asking them to stop. That alone might change their attitude toward poking at networks.
I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt).
No, that is only indicative of perfectly normal behaviour in most of the world, since your connection is reset (and your IP changed) every 24 hours.
you can defeat almost every trick like mac filtering or limiting dhcp scope
your best bet is to go back to wired and not send your data over radio waves
1) Drop the power on the AP so the signal can't reach the neighbor. 2) Turn off wifi security, route all traffic to a vpn server, require all connections to route through a vpn server. 3) Use ethernet.
Transparently redirect everything to goatse.
* Use enterprise auth to a RADIUS server with an LDAP backend?
* Lower the transmit power to something that just works within your place?
* Use just A or just B or just N? Maybe they're on older tech?
* Configure your router not to well, route. Use it as just an AP and you have to manually set the IP info on your machines, and the router is not *.*.*.1 on the network.
* Do the above, but use an external VPN for all of your traffic. A static route in the router gets you onto the VPN.
* Change your SSID to something threatening to indicate that you're onto them and that you asked Slashdot how to make them stop?
Colin Dean Go a year without DRM
Yeah, sure is a pain when you add new device, especially since it's completely ineffective at keeping anybody out.
Change your SSID to "Do_not_steal_my_WiFi". It's the enlightened approach -- the same approach that the "Gun Free Zone" and "Drug Free Zone" people use. Only backward, ignorant people would disagree.
Rename your SSID to "if you don't stop trying to hack in, I will call the police" (or whatever will fit). That should be enough of a hint.
It's obvious that the local police would be useless, but what about the FCC or the FBI if this character's actions are so extensive?
if i have a device not work for some reason and i see an IP conflict then i'll know right away
Unless you're setting your subnet mask to only be 10 or so addresses, I'd just pick an address outside of your DHCP scope and I'd never conflict. You're treating DHCP as a security measure when it's a convenience measure.
captcha: gateway. How fitting.
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
I use reserved MAC addresses and a non-trivial WPA2 password. The router won't connect any unknown MAC addresses.
That seems to work for me.
If they crack that, they aren't leeches. They are crooks. Call the FBI.
"For every complex problem there is an answer that is clear, simple, and wrong."
-H. L. Mencken
Brute force attacks take time, lots of time. Just start changing your key every week and he will probably go away. Having your computer run 96 hours to get a password that then changes 72 hours later just isn't worth it, even for a criminal. If he keeps at it then someone just enjoys the challenge, and you should hunt them down just for the mystery.
Why ask us this? Why not ask them?
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
well depending on the level of control you have, I'd grant them access and then just blackhole the traffic. The lecher will eventual self discriminate.
Good leaders run toward problems, bad leaders hide from them.
Not the answer you want but I'd ditch the wireless thing altogether.
You got savvy hostiles. Is it really worth the fight and uncertainty?
why? Just pick a unused static ip from (or even not from) the dhcp-range.
Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.
Put the leech on the Upside-Down-Ternet.
This. And then change the SSID to a long random string.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
They probably are the FBI...
NO NO NO
Create a GUI in Visual Basic and track his IP.
What is wrong with WPA2 with long passphrase?
XML is like violence. If it doesn't solve the problem, use more.
Place $10,000 in a cedar box with an Eisenhower Silver dollar. Include a photo of the person in question. Mail to General Delivery Attention: Teddy New York, NY 10001 No bodies, no witnesses, no questions. We're offering 2 for 1 on contract this week, just include an additional photo.
Don't do anything which might give this guy a case to counter your actions. Set up a new WiFi router and move your equipment to this new system. Use a super long key. Something that will take him a long time to crack. See what happening on the 5Ghz side of things, and maybe move operations there.
Then set up a little monitoring software and see what you can find out. Maybe you can discover who this person is, and send him a cease and desist letter. It's shocking and unexpected. Log everything with date/time stamps in case the leech attempts a confrontation, but that's unlikely to happen.
Only the dead have seen the end of War. - Plato
First and foremost, I should point out that additional security is unrelated to the issue at hand: the poster seems to have to attacker locked out since disabling WPS. This is about what to do to disable the annoyance of the various attacks still being performed. Security doesn't seem to be significantly at risk.
That aside, what do you expect limiting DHCP will do? Especially coupled with leaving a few addresses available? An attacker would just log on to your network as soon as the authentication was compromised and get assigned one of your extra IPs. Even if you didn't have extra IPs, the attacker could just adopt a static IP address within your subnet (trivial) and be on their merry way. MAC address filtering isn't terrible high security, but at least requires more work to get around than hoping that they don't get assigned on of your extra DHCP addresses for no good reason.
Yeah, call the FBI. That will work. Chuckle.
As soon as these guys clone your mac address (which they can get easily with airsnort) then the only thing stopping them is WPA2.
And if you have a lot of machines connected, they will be able to sniff enough traffic to get your WPA2 password fairly quickly.
Sig Battery depleted. Reverting to safe mode.
I have an IPCop server and the blue interface is connected to my wi-fi router. left the router with WAP and IPCop manage the mac address list.
So yes, I've dealt with it. The easy solution is go wired for a while, setup a honeypot and track them down. Once you know where they are let them know you are less than pleased and if they don't stop there will be a call to the FCC and local authorities as well as a civil suit for harassment. If you can't go wired Lower your ACK timing and transmit power so they can't get a good signal without standing on your doorstep. switch to a certificate based system instead of a password based system with a new ssid. On the new system setup a proxy that requires additional authentication to reach the internet. Assign static macs to your own devices and block all other local IPs via iptables to prevent them from self-assigning one. As for deauthentication attacks, the best bet is to find them and ans send over a nastygram.
Get a web developer
He found me.
Basically, there's nothing you can do if you keep using WPA.
One option is to lower your wi-fi antenna power to exclude the area where the attacks are coming from. This can be hard to do if you need good coverage for a whole house or some such.
Your best bet would be to use either 802.1x or EAP-PEAP. That's highly dependent on what router you're using, usually only high-end routers support these options, although some home routers certainly do (I remember the good old WAP54G supporting it). If you're going 802.1x, just setup a radius server, configure your devices and you're pretty much set. If you go the PEAP route, you'll need some certificates, and possibly a radius server unless you use client certificates for authentication.
Both options will foil your wannabe hacker. Plus, you'll likely have the only advanced Wi-Fi setup around, gaining you geek creds ;)
Religion is the best example of mass psychosis
Nerd card status: Revoked.
Let's see...
As per OP set up MAC address filtering, if this guy is trying to set up evil twins & trying to do handshake captures on your network, MAC addresses are spoofable.
I also like to hide the SSID just to make things harder, but if he's passive listening, that may not help either... though at this point, a hidden SSID with WPA2 encryption does not make for an attractive target, esp. when the MAC needs to be spoofed (I wouldn't know this till i broke through the 1st 2).
However, the single most effective thing you can do is limit your antenna's radius... if your router's stock firmware can't do it, dd-wrt and friends can. Stand outside your house till you can't connect to your wifi at your fence anymore, adjusting the radius in increments.
Last, but not least, go buy a steel fish line and drywall saw at home depot and wire up your house w ethernet ports and disable your wifi. Tough luck on the phones though, unless you can find an adapter for them.
consequences will never be the same.
Isn't there FreeBSD or Linux disk image that'll solve this?
<WIFI> <=> [Router] < routes only to > [IP address of solution]
Where the solution does something like the standard coffeeshop login +
* Special account gets unlimited time & bandwidth
* Non-special account needs to sign up every hour & gets diminishing bandwidth (if you want to allow visitors)
Something like http://dev.wifidog.org/, but under active development?
There are two ways of dealing with this: getting this person off [i]your[/i] network, and getting this person off [i]everyone's[/i] network.
Personally, I think if you can get everyone to squeeze him off their networks then that will probably be the nicest kind of vengeance.
Consider writing up a simple letter (starting with: Just a note from a neighbor), detail that someone in the area has been breaking into wireless networks and may be pirating stuff/doing illegal things which could lead to difficulties for the actual owner of the OP. Then, provide a basic summary of what to do to avoid it (e.g. disable WPS, etc etc) and maybe even provide URLs for the major router manufacturers.
With [i]some[/i] luck, [i]some[/i] people will pay attention and lock down their network.
If you know who it is doing it (using handy phone apps to detect signal strength, or a directional antenna) then you could do a 'special' letterbox drop for that one person with a 'how to buy an internet connection'.
Mind you, if this person is using an 'evil twin' they may be doing more than just stealing Wifi. If their MAC address is stable (i.e. they are not modifying it) you may want to capture some sample traffic with that included. If things do go awry you can use that to provide evidence it was that person's computer, possibly.
Information wants to be free! Uh, where do you live?
rewriting history since 2109
Change your wireless router not to broadcast SSID, change the SSID to something completely random, lock down DHCP to some odd subnet, only route the addresses handed out by DHCP, MAC filtering, set the SSID password to a long string, done. Only so much you can do. You can buy the best steel reinforced door to protect your house, but a rock through the window pretty well bypasses that.
There is an app for that.
Sig Battery depleted. Reverting to safe mode.
Make a little shield with a bit of foil and a coathanger. While tracking the incoming attempts, shield your WAP from various directions until it stops. Gives you a direction, and you can bend the coathanger into a little stand to hold the shield in place next to your WAP. It's likely to be in the direction of a near wall, isn't it?
Amazing stuff, tinfoil.
Do not mock my vision of impractical footwear
I had this problem, moved wifi router to the basement near the floor limiting the radius the wifi will travel around my house. I tested to see how far it worked prior to doing this then tested afterwards. I can barely get wifi in my garage now but works fine inside.
The Amish, on the other hand, don't seem to notice my connection.
Anyway, I agree - this is the only way to safely use wireless. Live where no one else does.
Too bad the internet blows out here.
if i have a device not work for some reason and i see an IP conflict then i'll know right away
Unless you're setting your subnet mask to only be 10 or so addresses, I'd just pick an address outside of your DHCP scope and I'd never conflict. You're treating DHCP as a security measure when it's a convenience measure.
captcha: gateway. How fitting.
I think that's the point; I set my subnet mask to /30 and assign a MAC to each IP. That way, any attackers have to sniff the MAC of an active connection and kick that connection in order to connect. This is very noticeable, and any leecher's going to have a really bad connection (as when my device gets kicked, it's going to attempt to reestablish, kicking them off). Doesn't stop passive surveillance, but it'll stop the leechers.
to "Police_Have_Been_Contacted" or something like that, and see if it stops.
You can build a wok-tenna, but I just use one of those little steel TV dishes. There's one in the Cherry Island recycling bin right now, they're easy to find in trash bins. I have two in my shed; you just replace the original transceiver with a cheap USB wifi stick connected by cable to a laptop or PC running kismet or whatever and voila! you've got a directional antenna.
Find his point source, and as long as it's not incredibly close to your house you can just shield your AP with a cookie sheet or something. If he's coming in from multiple directions, though, you might consider calling los federales.
Change your SSID to something like FBI Surveillance RTR or YouAreBeingLogged--you get the idea. Along the lines of the "WeCanHearYouHavingSex" SSID. Let him know you are on to him and the wise hacker will find a new mark.
Subnet Mask != DHCP Scope
Most of the wifi security standards suck. So don't use them. Leave the wifi layer as is, let the guy connect to it, but only use it as a transport layer for a vpn connection and firewall everything else.
Too much hassle? Run cables everywhere instead.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
This is why I am flabbergasted that with all the problems people have with security with WEP and WPA that it never occurred to anyone to do a DHE key exchange before swapping anything that requires the preshared key and adding an artificial minimum to the time between authentication attempts of any kind, such as 15 seconds. That would instantly fix the current weakness with WPA2 and slow down all unknown attacks in the future.
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
It is also trivial to simply clone one of the valid MAC addresses garnered from the evesdropping.
What does that have to do with MAC address filtering that GP was supporting?
If our helpdesk guys said such a thing they would be educated on why it was wrong and maybe even on finding a new job.
Demand more of your IT.
I don't know about the hiding portion - any hacker with any skills at all are going to find them. I for one would be far more interested in someone who hides their SSID than someone in a faceless mass of wifis. Makes me think that they are relying on being hidden, and thus have fewer layers of defense.
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
Because it's not like the MAC addresses that are allowed get broadcast over the air when they are in use or anything.
I had a problem like this once. ;) and sending I nicely worded letter to his home address.
To solve it I setup a second access point with throttled bandwidth then captured all of its data, not only was I able to capture his logins/passwords but was able to identify him and his address. Then it was a mater of using firesheep to take control of his Facebook page
First use signal strength to identify which house it is... Then rent a black van, and park it in that area for a few days. I bet it stops. If not, start noting all the activity and logging it, and submit it to the ic3. Thats about the only people I can think of that would even have the expertise to know what they are looking at. Then they would surely have to come investigate it themselves... but id also pretty much HAND them the case by videoing the pieces and doing the explanations... its a pretty weak possibility, but if they hand that off to local law enforcement, they cant ignore it.
The problem is consumer electronics are frankly half assed and flaky so you are more likely to run into problems if you are hooking anything but PCs to the router. this is the same reason why we have to have UPNP, because many home devices simply won't run without them on and I've found with MAC filtering enabled some smartphones and tablets simply refuse to connect without going through an act of congress.
Frankly we need to throw the whole damned thing out and start over, design something that low power devices like smartphones and tablets can use easily while at the same time having very tough to crack security. maybe placing a hardware crypto chip on the device?
all I know if primarily dealing with home users you'd be amazed at how much consumer devices start getting flaky the more you ramp up the security, its like the manufacturers just expected everybody to run with least security possible and that is all they tested for.
ACs don't waste your time replying, your posts are never seen by me.
I wonder if the sentiment would be the same if someone was hacking your wife. I mean, why get married just to hope she won't cheat on you. Maybe the neighborhood should all just enjoy your wife as well. Its just a trite moral rule that married people shouldn't cheat on each other, you have nothing to lose.
I haven't thought of anything clever to put here, but then again most of you haven't either.
Once you break the key, you see all traffic, including the mac addresses of known devices. At least it was that way with earlier encryption schemes, maybe they worked around that now, I haven't kept up to date.
Mind the frickin' laser...
Disable WPS or if your router doesn't allow you to do that, buy one that does.
Change to WPA2 and use a long, random key (a non-sense sentence will work too). Yes, it's a pain to have to set your devices up again, but it's the only way to take away their access.
Hiding your SSID, MAC filtering, etc. will do nothing if the script they are using is somewhat intelligent or if they have a more than a passing knowledge of what they are doing.
And if you don't want to just foist this issue off on someone else, help your neighbors to do the same.
Post anonymously - For when your opinion embarrasses even you!
The evil twin makes finding the culprit a cakewalk. Download inSSIDer and walk around. When the evil twin's signal is strongest, you're outside his door.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
It's rare on home devices, but if it's an option it could slow him down more.
I am not aware of what attacks are out there for it though, I may have to look into that later.
So you think brute forcing a 63 character password would be effective?
Only the State obtains its revenue by coercion. - Murray Rothbard
So next you get a letter from the RIAA ask you to pay $300,000 for distribution of copyrighted files.
Or the FBI comes SWAT team wanting to know about that kiddie porn....
If this person is in it for the game, putting up technical barriers is just going to encourage them. You want them to decide to leech off someone else.
Make a corner reflector using aluminum foil and cardboard -- figure out where in general the leech is, and keep the signal away from them.
If you have a spare box, don't do the Upside-Down-Ternet, let them connect and throttle the *&!# out of their connection -- encourage them to go away.
And yeah, going to PSK-2 with long keys changed every few days will be a pain to you, but more of a pain to someone else.
Parable #1: Never wrestle with a pig. You'll get dirty, and the pig will love it.
Parable #2: Two guys out camping. One asks the other, "What would you do if a bear came into the camp?" "Run like hell!" "But you can't outrun a bear!" "I don't have to outrun the bear..."
1.) set up a script to screen capture every page they retrieve
2.) redirect output to a printer
3.) hang them up randomly on poles throughout your area
Why would he even send a DHCP request?
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
# cat
Damn, my RAM is full of llamas.
very simple but i think it works.
Um, no.
He can set his own IP address manually.
No sig today...
WPS on the routers I've seen requires pushing a button on the router, then connecting and entering the PIN within ~2-3 mins. So, attempting to brute-force WPS will get you nowhere on the routers I've used, except during the extremely rare instances when I'm using WPS to connect a new device.
And, if it is a neighbor trying to get free access, you could set up a guest network (either using your router if it supports a guest network, or have him/her provide a router that you connect to your network), if you're willing to share your bandwidth.
make imaginary.friends COUNT=100 VISIBLE=false
And somebody like me would completely own you for it:
1. I have the technical know how to set my SSID to hidden: red flag #1
2. What else do I have running if my SSID is hidden?
In my case, I log all my traffic, and honestly it might take me a second to notice, all it would take is a few hiccups of my bandwidth for me to take a quick look at the settings and at that point, I'd log your traffic for a while, see what I can gather, and go find a zero-day, break through, escalate privilege, send your pr0n to your mom via the facebook login I logged, and delete your registry before I'm done.
So in short, you never quite know what you're logging into when you go rogue on wifi :)
At least it slows him down. He has to find and grab an accepted MAC, and you'll know he's trying to connect as soon as you have a collision on the DHCP.
Yea, it'll take him another 30 seconds to spoof his MAC address. That will really slow him down. *nod*
Why do you try so hard to keep "your" net just for you, it's not like you are going to "run out" of it? I mean if it's really a big dent in your monthly budget just go to the guy and suggest to share its cost, if it's not, then just let him leech it, what the big problem with it?
From the original question, it sounds like the perpetrator is up to more than just wifi leeching. There are less secure wifi setups in the neighborhood, why keep cracking the tough nut? And the evil twin? Just to get a wifi key? Something worse than bandwidth sharing is happening here.
I am not a crackpot.
Setup a radius server and use that for authentication.
I know a lot of the 3rd party firmware supports the setup (dd-wrt, openwrt, etc) if that's an option. This way, sure they can still connect but they won't be going anywhere without the correct authentication so using your wifi would be pointless
The other option you can do with what people mentioned above (Mac filtering etc) is change your ssid and don't broadcast your ssid. While this is like Mac filtering as in its not going to stop a determined person, it may when combine with Mac filtering and what not be enough to make it not worth the hassle
b) When you figure it out, put some tinfoil between him and your antenna.
No sig today...
Don't you have to crack the WPA2 before you can find one of the valid mac addresses?
sig: sauer
turn your router off, reconfigure it or replace it, go into paranoid mode, if the router does port forwarding take all port 80 and 443 attempts and direct them to your proxys:
http://tips.fbi.gov/
and
https://tips.fbi.gov/
set up a linux host, plugged in wired and an exception for the above rule, set up authenticated squid...
or just turn your router off for a while and go wired....
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
I believe in the scorched Earth policy:
Brick his doppelganger AP by doing a bad firmware update on it.
Go to dealextreme and buy a Wi-Fi jammer and use it whenever you're not home or asleep.
Change your AP's name to his address plus "..is a sex offender. Hide your kids"
Make sure you don't allow admin over wifi. Most routers have a setting so you can only administer it from a wired connection. This isn't an absolute or a fix for the base situation, it's just an extra hurdle for them if they get in and want to screw with you for fighting back.
Alternately, you could take a neighborhood watch approach. Distribute flyers indicating the someone in the neighborhood is borrowing wifi, and that you and your neighbors need to be vigilant. It may shame your borrower into cleaning up his act.
Bonus points if you put his picture, address, phone number and daily schedule on the flyers as well.
Failing that, any ham who enjoys RDF would be happy to help, provided they have gear that can listen in on that high of a frequency. Chances are the ones that can are the ones you want helping you anyway :)
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
If the wifi is open, they are inviting people to share.
This one is NOT open, so yeah, they are crackers, and that's illegal, but your local cops probably won't do anything if you call, but it's worth a shot.
Those of you recommending a long randomly generated WPA2 password need to RTFA. He has been hacked via the WPS vulnerability. Once you have obtained the WPS pin you have permanent access into that router and have the ability to retrieve the WPA2 password in plaintext every time that he changes it. The pin cannot be changed. Depending on the router you may or may not be able to disable WPS. Next time buy a router that has the option to disable WPS and TURN IT OFF. Over 12 million routers are now exploitable via this hack and have been for quite some time. The exparrot option or sniffing his traffic are the best options.
Set your SSID to "UnauthorizedTrafficRoutedThroughPolice"
and/or
Set up a server between your ISP and wireless access point with a VPN. If you get caught by his evil twin access point, you will know because your VPN connection will fail. Even if it doesn't fail at least your traffic should be secure.
or
Set your SSID to "ConnectingHereConstitutesConsentToEnterAndSearchYourHouse" Maybe the opportunity for an easy search would get the cops interested.
You should probably file a complaint with the police in case his illegal activity comes back to your IP address.
You may want to find out what kind of person you are dealing with before getting the police involved. Your strategy should probably be different if you are dealing with a local gang leader or homicide parollee rather than a high school nerd.
If the offender happens to be on probation it could give you extra leverage.
Keep in mind that if he lives next door he can listen in on your conversations with a sensitive directional microphone. He could also probably easily tap your phone, especially if it is cordless or cellular. So be carefull about speaking your passwords or other sensitive information out loud. Mail theft, burglary, vandalism, and other nasty attacks could become an issue.
Here's a solution - organize a neighborhood open wireless mesh network co-op.
It would be much more satisfying to make stone soup, than reinforce a stone wall.
"Flyin' in just a sweet place,
Never been known to fail..."
It is widely known by security professionals that hiding your SSID actually decreases security. For starters, it is easy enough to sniff a SSID out of the air. What is more concerning is that wireless clients configured to connect to a hidden network will constantly try to connect to any wireless network, essentially asking "Are you my network?" A malicious access point could say, "Yup, sure am!" At that point your wireless client will be more than happy to divulge your preshared key. There are even affordable retail products that accomplish this out of the box. Check out the Wi-Fi Pineapple.
Slowing him down is a good idea. Traffic-shape any non-whitelist MAC to a frustratingly slow but still believable bandwidth. He might just think your connection sucks and move on, without suspecting you've throttled him. It can't be impossibly slow, just pretty slow, like 28.8kbps modem slow.
If anything it makes it worse - now you can't tell what traffic is yours and what is his.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Lots of problems as others point out.Another solution: QOS. Do MAC filtering. Those in the trusted list get full speed. Those not get a much slower speed. Play with it a bit you want it fast enough that the hacker things they own you and doesn't try to figure out your MAC address but slow enough you don't mind losing that much bandwidth and it is painful to the hacker so they go on to other networks. Say 2Mbps with a 64kbps upload. Fast enough to be reasonable for a bottom tier internet package slow enough that no sane leech would choose you as the preferred target. Then enable logging, reduce signal strength, etc other games.
Turn it on at the power button only when you need it. That will make a very poor quality connection for the attacker and they will move on, and it will also save you money on your electricity.
If you can't live without an always-on connection then you will have to get aggressive and really go after the attacker.
Actually you dont 'change' the MAC address, you merely mask it. The MAC is a hardwired chip on the network device. But I guess and idiot would try to change it.
Whenever a player quits EVE to go play WoW, the Average IQ of both games increase.
Of course, buying that product will probably get you a visit from the fcc.
Don't try to invent a solution when there are lots of good ones out there already.
:-P
First, if you really care about figuring out who the guy is, why not just set up another open AP and monitor the traffic going through it. Given enough traffic, you'll probably be able to deduce his identity because there are still a lot of web services out there that don't encrypt everything, and there are even a lot that don't encrypt anything (including logins).
Next, if security is what you're concerned about, don't bother with MAC filtering or DHCP tricks. Both are very easily circumvented. The MAC addresses of allowed clients are easily sniffable, so he can duplicate those easily. And once he cracks your WPA2 he can see the traffic on the WLAN so he'll be able to deduce the IP info and assign an address to himself.
If you want good security, set up WPA2 enterprise. All you need is a radius server. Many APs these days support it (even most recent consumer models seem to). You can run the radius server on a tiny VM or an old PC. Then just set your keys to rotate often enough that it becomes impractical for him to crack them before they're expired.
Of course, if you did that to someone like me, i'd be inspired to go spin up a massive GPU cluster compute instance in EC2 so I could crack the password faster
If someone is leeching your wifi, look up how to middle man attack. Steal all his info. Find out who you are dealing with. Be nasty. Be a dick back.
Fight fire with fire.
You get the picture I am making here? You have someone that keeps breaking into your wifi, so set a fucking trap.
For the record, police are stupid as all fuck, and they won't do anything for you.
Be seeing you...
Don't you have to crack the WPA2 before you can find one of the valid mac addresses?
Don't think so.
Stations brodcasts its mac address to the access point in clear text.
http://www.maxi-pedia.com/how+to+break+MAC+filtering
The stations may also send beacons, depending on how they are configured.
http://www.wi-fiplanet.com/tutorials/article.php/1492071
Sig Battery depleted. Reverting to safe mode.
Don't you have to crack the WPA2 before you can find one of the valid mac addresses?
No.
Have a nice time.
loosing
Usually I have trouble pinpointing the exact moment where I stop taking someone seriously. Not this time.
And I can also spoof MAC addresses. MAC filtering is about 1/100th of a secure wireless network.
re: For example, I regularly walk 6 miles to a farmer's market and 6 miles back to save a couple of dollars on the price of vegetables. That's three hours of walking to save a minute or two's income.
.
Bonus for you is that you got three hours of aerobic cardiovascular workout time! You'll be healthier, and (two or so dollars) wealthier, and wise! The strange this is that there are people who actually pay other people and companies money for the opportunity to exercise on a treadmill or a stationary bike. These people tend to gas up their SUV and drive the two miles over to their "gym" to do pretend walking and pay for that privilege. You, sir or madam, on the other hand have gamed the system and not fallen for the idiocracy. You get the benefits without the costs.
Also, you're not a leech, so you're also a good person. Plus you also eat vegetables: double-plus good person! (My mom has me convinced that stealing the carrot sticks from the fridge is bad, so I'm tempted more and do it more! It was just a year ago that I figured out that carrots were healthy! I've been conned into liking veggies!)
;>)
Bonus point of spelling pickiness: your response was to Re:I've used Wifi Analizer . Surely, the GP poster meant "Analyzer", unless the word "analizer" tells us more about the GP and his probings by alien species than we wanted to know....
On a modern network, it is.... at least at the consumer level where nobody knows how to configure a subnet manually, but if you're managing any kind of large scale network it becomes very difficult to work with static configurations on every workstation even when you know how.
That being said, for a small network you *could* simply assign a static configuration to everything and turn off DHCP. It wouldn't protect you because, as others have said, the MAC and IP address could be cloned anyway, but it would offer an added layer of annoyance for whoever's doing it, such that they'd probably go somewhere else.
The truth that nobody wants to really admit is that there's simply no way to keep a determined hacker out of a wireless network. It's, by its very nature, an open network. About the best you can do, short of going wired, is regularly rotate your wireless passwords (get a new one every day, for example), and also maybe set up a VPN on your local network, so that even if you're on the wifi you can't actually do anything with it without connecting to the VPN.
If they're wanting to connect and they're being extraordinarily sneaky and clever at it, it may be easier to simply let them connect but limit the damage. Set up whitelists for a select few domains/IPs once they're connected so as to limit any liability concerns (child porn, illegal music/movies, etc.) Also set up heavy throttling so they're getting throughput much less than an average dialup account would get. This assumes, of course, you've separated your access point from your actual router. Just hopping onto the WiFi signal will get them on your LAN (and you ARE separating the wireless traffic from your wired traffic, yes?) Then you can use your router to shape traffic to certain devices. Whitelist your own equipment. Throttle and filter the heck out of anything else that might connect.
Yes, it would also help to install directional antennas and keep the signal strength to a minimum outside of your immediate usage area(s). But they, too, can get a directional antenna and still latch on.
A more elaborate solution involves setting up a full-fledged authentication server and implementing 802.1x. Authorized devices get on the private LAN. Everything else gets dumped to a separate VLAN which may or may not have any other kind of network access (it's up to you). It's been quite a while since I played around with any of that and, quite frankly, is overkill for even mid-sized businesses much less a home network.
Either way, they'll eventually get the hint and give up for easier prey. They win the battle (the challenge of connecting to your wireless anytime they want) but you win the war (keeping them from affecting your network in any meaningful way).
My sources are unreliable, but their information is fascinating. -- Ashleigh Brilliant
Yup. I'd say its either:
a) a hacker in the classic sense that is learning his craft by breaking into the local networks just for the practice and thrills.
b) something illegal. Identity theft, probing your network for something to steal, child porn consumption or distribution using your internet, etc.
Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.
WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.
In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
You clearly didn't bother to read the damn question. OP explicitly stated that he's dealing with someone who knows that they're doing. MAC filtering will slow this guy down for all of 5 seconds.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Under State law, I am required to stop the progress of a Felony by law, or be an accessory.
If I have a HCP, that means I'd be armed.
Castle doctrine does not protect criminals, by its definitions section, in FLA. Here the area extends to the property line at least, by case law.
Law is a great thing until you realize you're on the wrong side of the line, at the wrong moment in time. :)
Truth isn't Truth - Guliani
If he's requesting DHCP, then set up DHCP to give one range and statically assign your stuff in a different range. Then traffic shape the DHCP range down to 300 baud. Fuck 'em.
Better yet, start live injecting Google Ads into his IP stream and collect revenues.
Learning HOW to think is more important than learning WHAT to think.
http://www.net-security.org/software.php?id=259
That would cost me a bomb being in England - cheaper to give my bandwidth away...
Change your WiFi password to "pennyalreadyeatsourfoodshecanpayforherownwifi"
Indeed. I don't like the idea of standing out in any fashion. In this case, hiding your SSID will attract more attention then not, IMO
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
Insert a Javascript zero day into his HTTP traffic and take care of his computer. He'll never know what took him out.
I am becoming gerund, destroyer of verbs.
Setup your own decoy and reel him in. It's not hard.
Organization? You must be joking..
If they spoofs their MAC address to something on the white-list, would this really get them anywhere? If there are two devices using the same MAC address will either one get reliable service? If they are trying to be a nuisance then you're right, a MAC white-list won't help. If they are just trying to get free internet, then the poor service and warnings of conflicting MAC addresses will probably be enough to make the person move on.
My mistake, it's IP-address conflicts that give warnings, not MAC-address conflicts. However, the MAC address conflict would still result in unreliable service.
First of all, just to be clear: this isn't leaching, this is someone doing something nefarious. If they just wanted free bandwidth, they would never set up an evil twin network. Most of the replies on this thread are bad advice assuming it's a leech. The person responsible might be nearby, but probably not; if you track down the computer that's responsible, you're likely to find that its owner doesn't know what's going on and it's been taken over by an anonymous attacker over the Internet. Or you'll find a PwnPlug.
The first thing you need to do is notify the police that you're being targeted by hacking. This is important; if your computer/network is taken over and used for something illegal, which is likely to happen, this will protect you. Second: you need to notify your employer, as well as anyone whose confidential data you're in possession of. And third: you need to harden your computer security, and figure out why you might have been targeted.
The fundamental question here is really "do you want to stop him, or do you want revenge?". If you are satisfied with stopping him, seems there are plenty of simple things you can do. It's the revenge angle that's a lot more interesting, and may be your real motivation. I think all further comments should be directed at the revenge angle only.
On a modern network, it is.... at least at the consumer level where nobody knows how to configure a subnet manually, but if you're managing any kind of large scale network it becomes very difficult to work with static configurations on every workstation even when you know how.
My point is that it is *incredibly* trivial to connect to a wireless router that has DHCP enabled and just use an IP address of your choosing. It's a perfectly normal thing to do if you want to be able to predictably SSH a machine or something, and even MS Windows has a GUI way of doing it. Somebody who is sniffing network traffic and cracking encryption keys can easily determine which addresses are already in use, and in practice, if you take an address at the high end of the range (e.g. 192.168.1.250), you won't run in to any trouble with other clients.
# cat
Damn, my RAM is full of llamas.
Do a quick search online to get hold of some identity theft / credit card harvesting malware and modify it so it sends the capture to you.
Then, setup a transparent linux proxy server that replaces any executable file downloaded with your malware, and put it between your internet connection and an open wireless network.
Let the little turd use your free wifi internet to his heart's content, and wait for him to install the malware when he's trying to install something legitimate. Then, wait for your malware to send you the details of who he is, what his credit card numbers are etc.
Finally, go to the local coffee shop that gives out free wifi with every coffee purchased, and drop all those details you collected on pastebin.
Problem solved.
Easily acessible answer is WPA2 enterprise with a reasonable passphrase and be done with it.
Regarding involving LEA I'm sure they have better things to do than care about a "theft" of service which is entirely preventable with a few minutes of your time.
With regards to becoming go-go antenna inspector gadget I sincerly hope you have better things to do than to go looking for a fight.
Brass cloth wallpaper and window shades. Done.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Be very unreliable for them. Set up access limits and times. Many routers have a nanny mode to keep your kids off after they are supposed to be in bed.
My printers, etc are on the wired LAN, along with my VOIP adaptor. Set up the wireless to go down a few minutes into his hacking session everyday if he attacks at the same time everyday. Hard to hack dead air.
I set up the rule so wireless is blocked when I am in bed, or at work. Hackers may want a reliable connection. Don't provide one.
I have spare routers. Pick up a cheap one from Goodwill or other thrift store. Power it up not connected to anything. Let them connect to a no network network instead. Monitor the connectons to it.
The truth shall set you free!
Why would he even send a DHCP request?
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
If you have windows, it is! It will show a "limited connection" warning if windows does not get a dhcp offer.. /troll
Now seriously, one can perfectly clone a MAC address and IP address of someone and do business as usual.. Just setup some iptables rules to drop all incoming packets not related to any connection that originated from your computer and you are gold. Of course this can confuse the shit out of the other computer if it does not have a proper firewall setup too.
But yeah, I agree with you. Sounds like some people here don't have any clue about what's going on under the application layer..
Actually it's not hardwired, it's merely a value coded into the EEPROM. You can overwrite that EEPROM to permanently change the MAC address.
He's not wrong. He is offbase with the corporate IT to a certain extent but not your house. Do you have any friends? Do you want to add a new MAC to your router every single time someone comes over to hang out? It's pretty trivial to spoof a MAC address as well. I have a feeling you'd be looking for a new job if you were actually assigned to a helpdesk and said what you just did.
Let your kid or a friend's kid use your network. Then call the cops. They are "trying to hack into a kid's computer".
You'll get your response.
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
So when my sister, or brother visits I have to pull out my laptop, and a network cord, and plug it into the router, to authorize them?
Where does that make sense?
Granted it only has to be done once. but why?
i thought once I was found, but it was only a dream.
...so flash your router's firmware and remove the vendor's vulnerability.
I'm a Liberal, Apparently.
It's easy to say "WTF?!" 'till you live there. :facepalm:
Truth isn't Truth - Guliani
It looks like a network security/competency test question.
If your goal is to harden your wireless network then the simple answer is to set it up with WPA2 Enterprise using EAP-TLS. This will provide certificate authentication between your AP and your wireless clients which will protect you from the MITM attempts of him setting up another AP and will prevent brute force attempts.
Changing the SSID to "FBI_Cybercrime_Unit_23" would be a better bet...
Contact your ISP, you'll have to get beyond the phone-script crew, and explain the issue to the technical types there. It isn't likely that they will be happy to have someone playing this type of games with their connections and will step in. In most places the ISP can also bring legal charges under a theft of service law.
Sure, Because Wifi is like my wife. Smooth simile.
Every experiment which ends in a big bang is a good experiment.
Wander around with netstumbler, and monitor the strength of the evil network. Once you've actually located the person you can: a) complain to their mom b) move your access point to where it's out of their range c) setup a malicious network of the same name with and perform MITM attacks on them (sslstrip, sslsplit, dsniff, malicious nameserver, redirect them to a copy of someone elses drive-by-0day page) If they run the deauth attack more than once (it only has to be run once), they're fairly unlikely to succeed unless given serious help (like changing the network encryption to wep).
1. Shut down any of your WEP access points.
2. Implement WPA2... with AES (no TKIP) and: very important: do not use WPA-PSK, unless you have a cryptographically strong key, and your AP exposes multiple SSIDs with different pre-shared keys, where you have spread the keys about, so few devices use any one key.
3. Better yet switch all authentication to EAP-TLS with certificate-based authentication of clients, and passing of user credentials over TLS; in other words, use the only form of WPA that has no security defeat.
4. The police might be able to help, if you can provide sufficient corroboration -- such as hiring a specialist to assist, and providing the report.
If you can figure out where it's coming from, however, their parents may be able to help you even more.
If someone were to run a couple of torrents on my network while I was streaming some HD video, I would indeed "run out" of it.
Comment removed based on user account deletion
I don't quite get the problem here.
There's an individual outside of his home, who is accessing the wifi *in* his home.
Everyone is talking about potential countermeasures.
What about the obvious ones?
1) wire everything. That doesn't work so good for tablets, laptops in random places, etc.
2) Make it so he can't connect. Reduce the power (if possible). Pick a noisy channel, so he'll get too much interference. Shield the antenna from the direction the intruder is.
I've had to move so many access points, because people put them under desks, or with something in between Point A and B. Nope, RF doesn't pass very well through the refrigerator, filing cabinet, or the other numerous things they love to put in the way to complain. Detune it. Put the AP under the desk, so there's just enough power to reach the couch (or wherever).
Worst case, anti-wifi wallpaper, or even the always stylish wire screen or aluminum foil.
I vote for an all-out Faraday cage. Not only will it stop the wifi thief, but it'll keep the government mind control out... :)
Serious? Seriousness is well above my pay grade.
Please tell us more about cracking WPA fairly quickly.
From the summary, the cracker has already compromised the submitter's network at least once, is trying again, and is doing the same to other networks in the submitter's neighborhood. The cracker has already breached that "good ol' Amer'can spirit" you speak of.
While it's not his job, duty, or right to administer his neighbours, it is his responsibility to help protect the neighbourhood of which he is a part. If you spotted a stranger sneaking into your neighbours' houses, would you (a) lock your own doors and warn your neighbours / call the police, or (b) lock your own doors and go back to watching TV?
Hm, really? I have my SSID hidden. I was considering changing it because my Android phone takes ages for it to connect to it that way. But I assume that less obvious would be better. I suppose I could just do what I had before my phone, leave wifi off permanently until I actually need it (ie, brought work laptop home with me).
Why do they need wifi at your home. Aren't they there to talk to you instead of constantly updating their facebook status?
Maybe it's inconvenient, but security is always inconvenient. You can't have both.
Turning it off is exactly what I do when I am not actively using any wireless devices. My main computer is wired to the modem through an ethernet switch. Most of the time I use my main computer. The wireless AP also uses a directional antenna, is restricted to a fraction of the normal Internet speed and turned off most of the time unless I actually need it. I don't even bother with a password.
A sufficiently advanced simulation is indistinguishable from reality.
You might want to call the police and formally complain. They won't do anything, but it'll be on the record. If this guy is involved in criminal activity in the neighborhood, and there is an investigation, and you need to use the "I've been hacked" defense, there will be at least one piece of evidence in your favor.
FBI: criminal activity has been traced to your IP.
You: Its about time someone did something. I filed a complain six months ago about someone hacking my network...
Comment removed based on user account deletion
Comment removed based on user account deletion
Here you go AC, but next time do your own homework. Or at least have Google do it for you,
http://netsecurity.about.com/od/secureyourwifinetwork/a/WPA2-Crack.htm
http://www.aircrack-ng.org/doku.php?id=cracking_wpa
http://arstechnica.com/security/2012/08/wireless-password-easily-cracked/
Sig Battery depleted. Reverting to safe mode.
b) something illegal. Identity theft, probing your network for something to steal, child porn consumption or distribution using your internet, etc.
Anything that might actually get the police/FBI to act might have them break down your door. But within 24 hours they would break down his too. Anyone doing really illegal stuff wouldn't leech off a neighbour a hundred yards away as a proxy, he'd spend $5 a month and get an overseas VPN.
If he's ever caught (and if he exists at all, and isn't just a totally made up story to generate slashdot hits, which is more than likely) he's just some jerk in his basement who thinks it's fun, but not doing anything more illegal online than you (aside from cracking your router, that is). This is basically a trivial neighbourhood dispute, like the guy who throws his cigarette butts in your yard as he works in his garden. Of course, in the wrong neighbourhood, that could get you killed....
This problem of WiFi leeching is far greater than one guy losing some of his bits... rather now it is wide open that WiFi is not all that secure.
Copyright Infringement... How are the courts to assign guilt to anyone for violating copyright on the net if it can not be proven, with forum discussions like the one you are reading right now, that one is the perpetrator of internet mischief?
The ones that should be most concerned is the MAFIAA. All the lobbying of politicians to pass their carefully crafted laws is moot if it is shown in courts of law that the wifi routers themselves are compromisable. It will be hard, if not impossible, to place without-a-doubt liability on anyone for what went through their system.
I am sure this entire forum will be copied off and presented to the Judge as evidence that it cannot be proven beyond a shadow of a doubt that the copyright violator indeed did what the MAFIAA alleged he did.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
but you'd have to know the mac address!?
1. Setting the subnet mask to /30 or whatever only works if you have just enough devices for the available IPs. What if your network has 7 devices?
2. Two devices can share a MAC and IP on a wireless network. On a wired network it confuses the switch, but a wireless network does not have a switch. Depending on how the devices are configures, this situation can even work quite well.
If I needed a wireless network, I would use WPA2 and EAP authentication with certificates. That is harder to break than a simple pre shared key.
Dude, my phone actually LISTS hidden access points as "". Time to stop making yourself a target.
I run an open unprotected AP, which has been throttled down to a very low speed. It is good enough for an interloper to do a little surfing, but downloading any meaningful amount of data or watching a video is impractical. My other computers are all wired in to the network. Since it is not illegal to run an open AP, this gives me deniable plausibility, if some jerk is patient enough to download something illegal. I also turn the AP off entirely when it is not needed for a wireless only device like my iPad. I don't use the latter to download any big files.
A sufficiently advanced simulation is indistinguishable from reality.
The courts here in the US are increasingly realizing that an IP address alone, without other evidence of wrongdoing is no longer good enough to justify a prosecution or civil case. Even the dumbest prosecutors are beginning to realize this. Throttling an open AP down to say 512 kb/s will allow checking of e-mail or a simple query to to Google, but will not allow the downloading of huge files or watching of video. The speed of such a connection is still considerably faster than dial-up, and therefore is plenty fast enough for receiving simple text files. No one will have the patience to sit in front of my house in a car for hours to downloads megabyte files onto a laptop. I download large files using a hardwired connection to my computers. Sometimes, when friends come over with their laptop, I connect them to my ethernet so that they can use my high-speed Internet connection as necessary for downloads. I turn off the AP entirely at night and when I'm not home.
A sufficiently advanced simulation is indistinguishable from reality.
Yes, but they are transmitted in cleartext every time one of your devices connects to it.
Comment removed based on user account deletion
So you think that a person who is quite prolific in wifi hacking techniques will be stopped short, because he will not get an address from DHCP and has to figure out the extremely complicated method of assigning an ip address manually? Sounds like an effective technique alright.
Some of the Enterprise wireless vendors have countermeasures in their products for deauth/mitm/evil twin/ and many other attacks.
I don't work for the company, but I am a fan and a customer. Aruba has some really nifty features. Others do this as well, but Aruba was one of the first.
http://www.arubanetworks.com/pdf/products/DS_WIP.pdf
The Aruba Instant don't require any additional infrastructure and something like the RAP-3WN can be found on Ebay for fairly cheap.
Crank up the defense settings, and your AP will literally attack back when it detects a known attack on your network.
It'll frustrate the heck out of the kiddie running backtrack on your block when the tutorials he's watching on youtube on hax0ring wifi don't yield results.
WPA2 with a strong PSK should be sufficient, but if you want to take it to the next level use EAP-TLS and set up your own PKI. Make sure to validate the CA certificate so you're not susceptible to MITM attacks.
Remember that you are unique, just like everybody else.
Comment removed based on user account deletion
I use reserved MAC addresses and a non-trivial WPA2 password. The router won't connect any unknown MAC addresses.
The wifi router does not need to *connect* to anything. It is yelling your traffic loud and clear over the block, anyone can listen to it. To think that MAC restrictions are any kind of a deterrent, is delusional. MAC lists just serve to annoy legitimate users, it has absolutely no effect on a hacker. (Same goes for hidden SSID by the way).
The safest bet would be using 802.1x radius authentication.
But how will you ever get to his drug boat?
I used to be in your shoes. Then this happened down the road. Interestingly enough, with the NSA in town fiber connections are now pretty standard out in the 'country'.
And somebody like me would completely own you for it:
1. I have the technical know how to set my SSID to hidden: red flag #1
2. What else do I have running if my SSID is hidden?
Who knows? Odds are nothing at all. Hidden SSIDs are standard security measures available in every idiot's WiFi router. Somehow I don't think my sister nor my mother (both who have hidden SSIDs) have the technical know how or capability to use this "zero thingy" you talk about.
It takes quite a different mind to actually perform a hack, even a script kiddy hack, than a mind required to check a box and follow a two page guide with pictures form an owners manual while setting up a network.
We don't use wireless here. We use power line network adapters.
They are faster than wireless, cheap, and avoid the problems you're describing.
Beyond that, find out who is doing this and confront them. If they don't stop....make them wish they had.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
ALERT ALERT! Weak passwords decrease security! Whodathunk! News at 11!
If a train station is a place where a train stops, what's a workstation?
Yes, but only if done right. Use EAP-PEAP with silly passwords or even something really stupid like LEAP, and you're not any more secure. Use something like EAP-TLS with proper certificates, and then you're set.
If a train station is a place where a train stops, what's a workstation?
Frankly we need to throw the whole damned thing out and start over, design something that low power devices like smartphones and tablets can use easily while at the same time having very tough to crack security. maybe placing a hardware crypto chip on the device?
Yeah, that was a great idea last time, until someone found a flaw in WEP and the chips weren't possible to upgrade and we had to live with virtually no security for 5 years.
c++;
I recently ran into issues at home due to relying on this. I bought a firewall for my network, and assigned it as the DHCP server, I planned to have a DHCP allocation higher in the subnet, and to have most of my devices self-allocate an IP address lower down in the subnet (so I didn't need to have a static allocation via DHCP). To my surprise the self-allocated IPs weren't working, and couldn't get an outside connection, but anything allocated via DHCP could.
It seems that my firewall by default drops anything coming from an address not assigned via DHCP (which is nice actually, as it stops the behaviour listed in the quote). So I had to reserve DHCP addresses for my "known" devices, and have them assigned that way. Once I have everything assigned, I can restrict DHCP to the range of known devices, so anything else trying to connect will need to spoof a MAC to get an IP, and runs a very strong change of colliding (hence alerting me, and disrupting the offending traffic).
-- Pete.
Monochrome - Probably the UK's largest internet BBS
At work we have a similar setup courtesy of our $^#^%#$$% Thompson Speedtouch modem. You can't get a decent signal from that thing when you are further than three paces away from it.
... enable dhcp (no default gateway)
connect the access point to a openvpn server NOT THE INTERNET
connect the openvpn server to the internet
[access point]---[openvpn server]---([router]---[modem])---[internet]
So it goes like this for you:
you connect to your wi-fi
you authenticate with a certificate to your openvpn server
you use internet
It goes like this for him: ... connect
oooh open wi-fi
oooh ip, thanks
ping google.com ERROR
hax somebank.com ERROR
*cry*
And what we have now is better where more than half of the consumer devices get flaky if you try to have any real security? You know it doesn't matter if its because hackers cracked the chip or because the device just won't hook up as in both cases you are SOL as far as security goes.
But considering how powerful ARM DSPs are now i don't see why you couldn't have one that could be updated through firmware, that way as new advances in encryption came out you could update the device.
as it is now you go right ahead and try to enable MAC filtering and WPA PSK and see how quickly the phones and tablets become paperweights, what good is having security if it results in devices you can no longer use in their intended purpose?
ACs don't waste your time replying, your posts are never seen by me.
Here here!
I am fortunate that my house siding is cement. With the AP strategically placed in the basement, there is no signal at the sidewalk or the fence in the back yard. The next door neighbors may be able to receive the signal from their upstairs, but it's questionable.
A basement makes an awesome 'funnel' for your wireless signal. :)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
1. Reconfigure your AP with broadcast turned off, different SSID, white list your MAC address, roll the password. Disable DHCP or configure DHCP to assign specific addresses to specific MAC's.
2. Setup another AP with your old SSID. Plug this into pfSense firewall and start collecting data and messing with the person. Transparently proxy all their traffic and setup some interesting rules. Rate limiting, jpg replacement, word replacement. If they're encrypting all their data, tamper with the stream, replay packets, etc.
Yes Francis, the world has gone crazy.
The people "leaching" your connection may well be terrorists using your internet to plan crimes against the American people. When it comes time to investigate, you will be the one explaining why your connection was used to make these suspicious searches. Avoid problems now - call in DHS and get them to find and nab the terrorists before they can do any harm.
Why bother with a directional antenna? Load up kismet with a GPS device connected (cheap bluetooth one will do), go wandering with your laptop, and it'll find the network centre of each AP quite easily. I used to use a bootable Linux distro for just this purpose (it shifts name a lot, but has gone by the names of BackTrack and Whoppix in the past so I'm sure you can google the latest version) for doing primitive wifi mapping in schools (where you have hundreds of surrounding houses all blasting their channels in your direction).
Within a walk of the street, you'll pinpoint the leech even if he used the same details as yourself. Then knock on door (with friend, depending on area), ask what the hell he's doing and ask him to stop.
But, to be honest, if that was the case, I'd just secure my network properly. And, hell, if it comes to it run a fake AP at that location that just messes with him. I've done upside-down-ternet before now, and a friend of mine thinks that renaming certain local wireless AP SSID's to something scary works quite well too. DO NOT TRY TO ATTACK BACK. Just cripple his access through your systems, don't do anything stupid to him.
And if you're REALLY worried, just run OpenVPN over wireless. I did this in one place I lived - just had a WPA network and actually had all clients connect to a OpenVPN server on the local net (and the wireless was blocked from talking to ANYTHING else). Then it doesn't matter what happens to WEP/WPA/WPS, etc. - you know that they have to break quite serious encryption to actually get anywhere. Impact on clients is extremely minimal - generate a certificate once, slight lag on first connection or resume from sleep (literally on the order of seconds), but after that it just like being native on the connection - I used to play CS 1.6 over that system with no problem at all.
It was hilarious when a guest came once and told me that they'd "get on any wireless network". They couldn't crack the password (probably could nowadays but not back then, the software wasn't around and the vulnerabilities were unknown) so they went and found the router and tried the defaults, MAC address, etc. They couldn't get on so I told them the password. MAC address filtering blocked them, so I added them to the list of allowed MAC's.
DHCP was disabled so obviously they got no address and my range/gateway was some random number in the 10. range. I felt sorry for them by this point, so turned on DHCP for them and they got an address. They tried to ping default gateway and it worked, so they claimed success.
Unfortunately they were on a private wifi network that hid clients from one another too, so all they *could* do was ping the gateway (and that, only for my ease troubleshooting!) and connect to the OpenVPN port on a random server (not the same IP as the gateway). Nmap scan found nothing (I presume because I was using OpenVPN over udp) and they could get no further without the OpenVPN software and a certificate issued by me.
This guy is forcibly entering your connection, presumably just to freeload but it could be for something much worse (how do you know WHAT he's downloading and that he's not just chosen your network - and the neighbours - to provide a level of indirection to his activities so that he can stop / run when the police pull up to arrest YOU for what's been downloaded).
Find him, stop him, if it continues, report him.
P.S. This is why I disable any "new" authentication technology within seconds of setting up a wireless router. UPnP - off. WPS - off. Other crap that looks like it's trying to make my life "easier" - off.
MAC addresses are easily read, and faked, from wireless networks.
If the attacked knows just one successful client on your network, it's not that copy their MAC, even if it forces one-or-the-other off the network.
MAC filtering is like whitelisting yourself using the "from" field for spam. Eventually, someone will just send "you" a message from "you" and it'll go straight through.
If some attacker is so busy attacking your network (with usually loads of other networks around it with default settings) even when you disable the easiest method of attack, are you sure leeching (accessing the Internet via your connection) is the target of the attack? Isn't it possible the attacker thinks your network has something special?
The Virtual Bookcase: book reviews
http://www.openbsd.org/faq/pf/authpf.html
go find a zero-day
Because that is so easy to do...
Java.
Comment removed based on user account deletion
We also look for illegal transmitters, like the cordless phone that a local Chinese restaurant had imported and used the same frequency as our 2m repeater.
www.wavefront-av.com
But, how would the "good guys" log all your traffic in case they need some dirt on you ten yars later? That is the problem with all commercial security, they want it to be secure and insecure at the same time...
I'm originally from Los Angeles, and the contrast between the two police cultures seems pretty dramatic to me.
I am not from L.A., and was shocked and dismayed to discover there what the future holds.
The LAPD seem to have developed a new police culture, which is coming to be the new dystopian reality throughout the U.S.
Welcome to Abu Ghraib, Citizen!
They feared that it could be used to suppress protest or support unpopular rule.
Don't try to explain, dittbub develops DRM for the MPAA.
That is what I am saying. Anyone advocating Mac address filtering will be getting a talking too.
I never suggest the use of such a useless measure.
Also, why go with a technical attack/protection?
Print up 100 fliers that say:
WARNING: a scary hacker is using ADVANCED wireless hacking techniques to view CHILD PORN over your internet connection. He is also trying to steal your CREDIT CARD numbers! They are also using FACEBOOK to seduce your kids in to bed. This is a neighborhood campaign to locate him!
Stick these to every door within wireless range of your house. If the hacker is an older person (adult) they are likely to stop to avoid an angry lynch mob of soccer moms hanging them. It's also likely to get law enforcement attention. Now you've associated wireless hacker with a kiddie diddler. It's also good plausible denialbility for all the people he has hacked and downloaded shit thru.
Why protect only yourself when this is a community problem.
Print up 100 fliers that say:
WARNING: a scary hacker is using ADVANCED wireless hacking techniques to view CHILD PORN over your internet connection. He is also trying to steal your CREDIT CARD numbers! They are also using FACEBOOK to seduce your kids in to bed. This is a neighborhood CRIME FIGHTING campaign to locate him!
Stick these to every door within wireless range of your house. If the hacker is an older person (adult) they are likely to stop to avoid an angry lynch mob of soccer moms hanging them. It's also likely to get law enforcement attention. Now you've associated wireless hacker with a kiddie diddler. It's also good plausible denialbility for all the people he has hacked and downloaded shit thru.
Plus, if you see some dude taking all the fliers down, it's probably him.
(Different AC)
I hope you realize that by being deliberately obtuse, you're only hurting any point you might have had.
What you see as "deliberately obtuse," I see as pointing out the issues that result from a culture that exhorts and promotes people getting into the business of others.
You apparently do not realize it, but this sort of behavior is precisely why we have so many goddamn stupid laws governing what we can or cannot do in the privacy of our own homes. I'm trying to fix that lack of understanding by bringing it to the forefront, so please try using your cognitive abilities instead of instantaneously writing off any opinion you don't necessarily agree with as 'obtuse.'
An enigma, wrapped in a riddle, shrouded in bacon and cheese
1st thing to do would be see if my router was compatible with something like DD-WRT or Tomato. These don't have the insecure WDS in them. I assume you have the most up to date firmware. Other things to do would be to turn off your wifi for a few days. Chances are the neighbor will get bored and move on to someone else. You could also enable QOS and restrict the heck out of his connection. You could also start messing with things like redirection, block DNS lookups (Let your local machine do the DNS for your connection) and lastly replace your router.
Anyone doing really illegal stuff wouldn't leech off a neighbour a hundred yards away as a proxy, he'd spend $5 a month and get an overseas VPN.
Criminal minds aren't really all the bright, that said, why not proxy off your neighbors wifi to the overseas VPN your paying for with your neighbors credit card...
(and if he exists at all, and isn't just a totally made up story to generate slashdot hits, which is more than likely)
Agreed; but you know what, this particular story has generated more comments and technical discussion than most, which is nice to see. If it were a hypothetical scenario instead of a real one it would be better if they were honest about it, but overall I've enjoyed this thread. Although I'm appalled at the poor advice being given -- mac filtering and turning off ssid broadcast vs an attack allegedly this sophisticated is like making sure the backyard gate is closed to secure your home against a SWAT.
he's just some jerk in his basement who thinks it's fun, but not doing anything more illegal online than you (aside from cracking your router, that is)
I tend to mostly agree. And it wouldn't be such a big deal if he was just cracking your router to leech off your internet. The sort of person who does that is the sort of person who, once on your lan will amuse himself by breaking into your computer next. (and given that he's inside the network you might well have poor passwords, open shares, and so on. Rummaging through your documents, pictures, email... slurp copies of anything remotely interesting, grab the notepad file/excel sheet/whatever with your passwords, the vpn credentials for the office, whatever... and then start rummaging around there too.
It might be a simple "I want to leech some free internetz" but odds are if someone is going to that much trouble to get into your network they're going to rummage around ON YOUR NETWORK too with the same level of sophistication.
Or just a unemployed Kid with way too much time...
Who is committing a felony.
For what most people spend on mid to high level home routers you could be using pfsense on an alix board, or at least an ubiquiti or mikrotik device.
Any of these devices will blow the socks off the consumer junk out there.
Cheap storage VM.
Criminal minds aren't really all the bright, that said, why not proxy off your neighbors wifi to the overseas VPN your paying for with your neighbors credit card...
A criminal who can crack wifi must also be aware of how easily he could be backtracked. The online criminal community has gotten very paranoid, and rightly so.
It might be a simple "I want to leech some free internetz" but odds are if someone is going to that much trouble to get into your network they're going to rummage around ON YOUR NETWORK too with the same level of sophistication.
Maybe. But again, it would be really stupid to do that to a neighbour. An online criminal can target anyone, anywhere, and fade away if he's detected. If he's connecting via wifi, you can turn up on his door with a baseball bat 3 minutes later. And while "YOUR NETWORK" matters to you, it probably doesn't to anyone else. Unless they like the same kind of porn you do. So of course you want to protect it, but it's more likely to be collateral damage than a targeted assault.
But the more I think about it, the more likely it is that this story is completely fictional. Though I once cracked a neighbour's wifi. If you count logging on to an unencrypted network as "cracking". I then noted the SSID and it was a router brand, so I guessed it was all on defaults and logged in to the admin screen. But that was it, logged off and just leeched for a while till my own broadband was online. Now all my neighbours wifi is encrypted. There have been a few scare stories in the news and with netbooks and smartphones all using wifi people are used to having to use passwords.
I let people connect to my AP but they are greeted with a captive portal screen in their browser. Usually this turns most people off right away (The logs say so anyway!)
Oh, and you don't need pfSense for captive portal, I think dd-wrt does a relatively decent job of providing it also.
i do no such thing!
---would like a way to ban AC's from his discussions. Bunch of dumb newbs, who can't spell security.
If you're running something like dd-wrt reduce the accepted round trip time (ACK timing). It looks like the default is over a mile. If you reduce it to about 50 meters give-or-take you might be able to cut him off entirely.
I would give serious thought to buying some CAT5 cable and turning the WIFI off.
End MGM. Get prospective parents of boys to Google: Men do complain
Just keep modem and router turned off when not in use. or just unplug router when away from the computer if you do not wish to lose your ip...this is even if you have verified through your ISP that unknown mac addresses are using your connection. You find that people that do not contact their ISP or local authorities...probably doing something wrong themselves and do not want to let the cat out of the bag. So bad guy vs bad guy.... well like I said better to let him get discouraged and find someone else to steal from. I use network magic that tells me when any device connects to the router. I am not very technically blessed so I always seek the simple solution.
But the more I think about it, the more likely it is that this story is completely fictional.
Perhaps. But its an interesting thought experiment even so. And as a teen I knew people who got onto neighbors wifi, cracked WEP, rummaged around on open shares on their computers, or broke into the computers, and even installed remote access software etc.
It does happen.
And while "YOUR NETWORK" matters to you, it probably doesn't to anyone else. Unless they like the same kind of porn you do. So of course you want to protect it, but it's more likely to be collateral damage than a targeted assault.
I agree its not likely a targeted assault or a case of it "mattering" to someone else. Having someone rummage around your network has the same effect as someone breaking into your home... even if they didn't take anything of value. You still feel violated.
Someone looking through your documents, your pictures of your kids, or wife, its just creepy. Maybe you have private photos of your wife. Maybe your medical records, or your financials...
Is the neighbor likely to steal your identity and drain your bank accounts? No, not unless he's really stupid, so I'd agree that's highly improbable.
But anyone who would go to that much effort to break into your wifi where it is not a high level criminal targeted attack is doing it just because he can, for the thrill of breaking in. That's why my teenaged friends did it. Such a person will break into your computer next. Not because they really wants anything from it - although racy/nude pictures/video of the neighbors wife might be a big prize -- but simply for the challenge of proving he can.
Whether you are really "harmed" in the process or not you still feel pretty violated.
The idea that you should "be nice and learn to live it" is simply ridiculous.
Though I once cracked a neighbour's wifi.
I knew a number of people who cracked their neighbours WEP and so forth for the fun of it.
Maybe. But again, it would be really stupid to do that to a neighbour. An online criminal can target anyone, anywhere, and fade away if he's detected. If he's connecting via wifi, you can turn up on his door with a baseball bat 3 minutes later
Unless you assume your neighbor is technical noob, will never even notice you did it. And to be fair, this would be true of pretty much everyone. I'm not even sure *I'd* notice unless it was noticeably disrupting my network.
A 15 year old in an apartment block might well think he's invincible.
What a moron. Please go back to your mother and stay there.
P.S. I'd find the zero-day, you wouldn't, it's called "community".
1. Setting the subnet mask to /30 or whatever only works if you have just enough devices for the available IPs. What if your network has 7 devices?
2. Two devices can share a MAC and IP on a wireless network. On a wired network it confuses the switch, but a wireless network does not have a switch. Depending on how the devices are configures, this situation can even work quite well.
If I needed a wireless network, I would use WPA2 and EAP authentication with certificates. That is harder to break than a simple pre shared key.
1. I fill up all 10 devices with MACs -- most of them dummies. Since there's nothing transmitting these MACs, it's highly unlikely that an attacker could guess them. Therefore, I'm essentially limiting the network to the actually used IPs.
2. That was my point; two devices can share a MAC and IP on a wireless network, but service degradation IS an issue, and the combination of retransmits and handshaking (at least on my hardware) causes significant lag and eventually session drops, requiring renegotiation. I've never seen a situation where devices worked well sharing a single MAC and IP over a wireless router -- it works much like a passive hub, except with an extra layer of abstraction around the wireless connection negotiation. No switch to actively drop the potential collisions, just two devices that degrade each other's performance and trample each other's TCP packets due to buffer overloading.
That said, WPA2 with EAP is a much better choice where all devices support it.
The truth that nobody wants to really admit is that there's simply no way to keep a determined hacker out of a wireless network. It's, by its very nature, an open network. About the best you can do, short of going wired, is regularly rotate your wireless passwords (get a new one every day, for example), and also maybe set up a VPN on your local network, so that even if you're on the wifi you can't actually do anything with it without connecting to the VPN.
Are you thinking of WEP encryption? If you are using WPA2 encryption, asking someone to change their password once a day is completely unreasonable.
If you are using WPA2 and a semi-long password there is absolutely no need to change the password daily. The way that cracking WPA2 works is by capturing an authentication handshake of a user who knows the password, storing that locally and then cracking it on the local machine. Now you are playing the waiting game, even if the attacker was using (http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/) cracking at 350 billion passwords attempts a second, a password with 20 characters (upper, lower, digits, and punctuation) would take
(32 lower + 32 upper + 32 punctuation + 10 digits) 104 ^ 20 = 2.1911231430334195e+40 possible combinations.
2.1911231430334195e+40 / 350,000,000,000 attempts per second would require 62,603,518,372,383,410,015,659,322,218.865 seconds to try each combination. Which comes out to a potential 2,905,645,676,789,197,589,949.8015733293 years to crack. Change your password once a year and call it good.
Wireless networks are not open by nature, they are broadcast by nature. There is a very big difference.
Absolutely. If there is any activity on the network at all https://www.wireshark.org/download.html would pick it up in a split second.
Two devices can share a MAC, but yes, the service might degrade, since each station would send TCP RST packets for the connections it does not know about. On the other hand, if one (or both) stations have firewalls that are configured to be stealthy (to drop instead of reject packets) then such a setup can work quite well. It would most likely still be noticeable for devices that send/receive a lot (at least the bandwidth graph would change), but if the attacker cloned the MAC of your cellphone or some other device that does not send/receive a lot.
Some years ago I "legitimately" cloned MACs to connect to a network - I had permission to access the network (and the password), but the MAC table of the AP (since they were also using MAC filtering - so effective) was full and the address of my device could not be added - so I just scanned the network, made a MAC list and every time I want to connect I would just pick one (that wasn't seen in the last minute, or if all were active then one that was least active).
And if the attacker lives near you (as opposed to just driving around with a laptop), he can leave the capture on for a day or so and get the less used MACs.
Riiiight, because Sally Secretary and grandma and grandpa could REALLY set something like that up, geez. This is why Linux never goes anywhere, the FOSSie thinks "If I can do it anybody can" which is complete and total horseshit, that is like saying because your local mechanic can rebuild a car from a rusting hulk into a hot rod you could do so with nothing but the tools and the husk, no instruction needed.
Crap like pfsense is about as user friendly as open heart surgery and if you don't REALLY know what you are doing and have a low level understanding of networking you are just as likely to come up with something worse than what you had because it'll be misconfigured.
As I have said many times what we NEED is something that can be updated via firmware as new threats come out and which has a new more secure form of UPNP so that grandma and Sally can follow the very BASIC instructions and set up their devices to work on it without paying a guy like me a $150+ service call on top of an hourly rate to set the thing up.
So I'm sorry but your "solution" is anything but and would be like saying "To save gas just build your own hybrid" for all the usefullness of it. Unless of course you are just trying to throw names for geek cred, if so congrats, you are a basement nerd that uses products nobody cares about and which has less home users than Solaris.
ACs don't waste your time replying, your posts are never seen by me.
for years my neighbors have been trying to get access to my Wi-Fi in 2003 they had cracked my WEP key back then my wireless router only supported WEP. I ended up disableing the wireless mode and wired the computer that was wireless. when I did this my neighbors got mad saying that I had no right to dissconnect them when I replaced the wireless router with one that supported WPA my neighbors asked for the key several times. when i got a laptop computer I always got knocked of my Wi-fi several times a day. I did have my WPA key cracked twice one day I had the wireless card and routers Wi-Fi part stopped working i had to set up a wireless access point that I had laying around I ended up setting up a RADIUS server and set my Wi-Fi for WPA- enterprise Protected EAP (PEAP) when someone tryes to connect the RADIUS server it logged the mac address of the computer or devices that tryed to connect sill had the problem of my Wi-Fi dropping connection. In 2011 I had people that I never seen before knocked on my door asking for the security code to my access point I ended switching to 802.11A with WPA - Enterprise I swiched to the 5 Ghz band I am having less problems.
# cat /dev/mem | strings | grep -i llama
Damn, my RAM is full of llamas.
Do you not mean that the illama is full of ram.
Leslie Satenstein Montreal Quebec Canada
Perfect security.. Put some aluminum foil over it to finish your safety precautions. :)
Serious? Seriousness is well above my pay grade.
pFsense config is no harder then any of the off the shelf routers. If you buy an embedded device with eveything pre-installed you just plug it in and go to the internal web interface. Upgrading is a one click affair. Sure you can put it on an old PC, or put together your own embedded kit, but those are options, not requirements, you never need to touch the CLI. I know the old version required the CLI for the initial setup, but that is no longer the case.
Mikrotik is a litle more complicated, but it's rock solid at a low price and for most home DHCP WAN links there is nothing to configure.
Cheap storage VM.
he wanted to filter the MACs, which get an ip via DHCP. Thats no protection, because i just pick some unused ip by hand.
do not confuse his misleaded approach with MAC filtering on the accesspoint (a layer below IP)
Dude are you trolling? Or have you just been an uber nerd so damned long you don't know any better? You know how easy the new routers are to set up? Its "Insert CD, clicky clicky next next next" and THAT IS IT. Hell many of them have basic Android and iPhone apps or websites that will hold your little hand and walk you through setting up the router without having to know more than how to push the button.
But this same attitude is why Linux goes nowhere, they go "Open just open up Bash and type" followed by a string of gibberish THEY understand which HAS TO BE TWEAKED for the situation but since THEY know how to tweak it because they've spent countless hours fiddling with the damned thing that means Sally and Grandpa can do it too...bullshit. Complete and utter bullshit and be no different than me handing you an electric bass which you had never touched in your life and saying "Play Freewill by Rush. What do you mean you can't? I can play it so should you" while ignoring I've played bass for 25+ years while you have never even tuned the instrument.
ACs don't waste your time replying, your posts are never seen by me.
No need to buy anything when a few simple router configurations may do the trick.
a. Unplug the router from the internet
b. log in to your router setup and do the following: Stop broadcasting your SSID, change your SSID, Change any and all passwords on the router including the
WEP key or whatever encryption protocol you are using, finally setup MAC filters so that only approved devices can log in.
c. plug the internet back in and reboot the router.
d. configure your authorized devices to connect to the router.
Where are you? And what year is it there? I remember in the olden days when you could go to a farmer's market and save money. But in recent years (and decades) here in N.C. the farmer's market tend to be a scam selling things for a lot more than I pay for them at the local grocery store. And a lot of what is sold was simply bought at the local wholesale produce yard and resold, including those locally grown pineapples and bananas. I just can't afford to get produce at farmer's markets around here.
I'm an American. I love this country and the freedoms that we used to have.
I always throw the cd away.
Plug the router in, wan to wan, lan to any computers, done! No further changes are necessary for DHCP internet.
Cheap storage VM.
Step 1: Isolate. Use a spare PC, add a NIC and use Untangle Lite (free) http://untangle.com/ which has very good. Turn off DHCP in your router, use it as an access point only. Let Untangle hand out addresses. Get the perp's MAC address and reserve his IP addresses. Use Untangle's report feature to build up a dossier of all his activities over a few weeks. See what he's doing.
Step 2: While compiling the reports, use HeatMapper (free) http://www.ekahau.com/products/heatmapper/overview.html on a notebook or netbook to locate him. It won't be any problem to find his AP in the signal map.
Step 3: After you have the data, mail him a copy of the reports and the heatmap to let him know you know what he's doing, and invite him over for a cup of coffee or other beverage of your choice. Be sure to tell him you don't want to turn him in or blackmail him, but you would like to talk geek to geek. Tell him you're going to disable WPS and change the WPA key, but you'd like him to try to hack in again, and tell you if you've left any open vulnerabilities. You can end the leeching and might just gain a buddy worth having.
Caveat: Of course you want to send a copy of the report to someone else to hand over to Law Enforcement in case he turns out to be a terrorist or freakazoid with implements of destruction to use against you.
So you've never even tried the actual device as its marketed and sold, and think pfsense is a viable "solution" when you don't even know what the competition does or how?
Its obvious that your ass ain't never worked in retail because with an attitude like that you'd be having a going out of business sale before the year was up. You can NOT offer "solutions" if you don't even know how it compares to the competition and I can promise you pfsense is a bad joke compared to the ease of use of modern routers. I have seen customers who don't even know what a router is other than "I can hook up by wireless" that have managed to set the whole thing up with nothing but the CD. They know NOTHING about IP addressing, nothing about LAN or WAN, yet they have functioning networks and THAT is what you are competing against.
And do NOT give me that elitest "Well they better fucking learn, stupid noobs" bullshit because that is a classic "is ought" problem which again is a reason why Linux never goes anywhere, the devs think "They OUGHT to be able to do this because i can" while ignoring that reality IS the fact that people who don't even know what an OS is can do all the basic tasks they require because there is enough hand holding and dumbing down that those with zero education can use these things as easily as one uses a toaster.
ACs don't waste your time replying, your posts are never seen by me.
I've tested all these attacks myself, and with a good directional antenna with a high transmit power the attacker can be pretty damn far away from you.
Even if you lower your router's power output (a very good first step to mitigate this attack), his directional antenna will allow him to pick up fainter signals.
Disable 2.4GHz if you can, and just use 5Ghz as there are far fewer high powered directional antenna available. The 5GHz signal also doesn't propagate as far.
If you find the location he's coming from, you can shield that with foil.
I have been out of retail for about a decade. I do occasional home network consulting but I explain things in terms that everyday users can understand. Many of them don't care to understand and may not retain it, but I don't talk down to people and assume they are not capable. No complaints and all my business if by word of mouth.
Cheap storage VM.
As an aside, it's not wonder you have morons following your posts, downmodding you, and accusing you of being a shill. At the least you appear to be bipolar.
You have posted some useful things in the past and I attempted to reciprocate. Anyone with even a moderate level of technical understanding is wasting their money on consumer level crap. Sure 90 year old Auntie Matilda might have some problems setting up something more advanced, but if I am helping her I am still going with the better quality stuff. It won't crap out unexpectedly and once it's set up it is rock solid. You can even manage it remotely. I would rather check on Aunt Matilda's router remotely every month, then have her call me every other week so I can tell her to powercycle her router.
Cheap storage VM.
That's nice that you have nothing better to do than give out free support, my time is $35 an hour and I just can't afford to be wasting it dealing with shit I'm not getting paid for. And what failures? A $50 router will run longer than the PC its hooked to, I have customers with routers that have been going for nearly a decade, in fact the only reason they have a router now is I talked them into getting rid of the hubs they had previously.
Again if you got nothing better to do, that you can afford to give away free support? Good for you, I really mean that. I have a dozen system waiting for me when I go to work tomorrow, no less than 3 service calls and at least 5 messages on my phone wanting to set up a time for either dropping off a system or for setting up a service call, I don't have the damned time to waste setting up some PITA system that is gonna eat up time. if they want to pay for a support contract? Then I'll be happy to do it but between my work and my band on the weekends i just don't have enough hours in the day as it is and your "solution" is a giant PITA and not as good as COTS without a bunch of fiddling and hand holding. Not to mention that if they buy a tablet next week your "solution" is impossible for them to work on or get the device hooked up so there is another service call for you, shame you aren't getting a cent for all that work.
ACs don't waste your time replying, your posts are never seen by me.
Who says I give anything away. I bill more then you, probably because I am in a more urban area. I generally only give away advice, although some people (present company) don't appreciate the value. I don't wast time cleaning up pc's for the most part. I am more CIO planning, network, server, and forensics. I will happily back up a pc and perform a wipe and basic reinstall for $50. Most of my processes are automated using my egg-head linux server to manage the windows rebuild.
Cheap storage VM.
Subject says it all.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I found a good solution to this. http://www.amazon.com/ZyXEL-Powerline-Wall-Plug-Adapter-PLA4215/dp/B006KSLIQG Turn off your wifi, and use this instead. I just ordered a pair myself.
Doesn't UTP defeat the purpose of having a laptop, tablet, or handheld video game system, or using home Internet to avoid cellular data caps on a smartphone? And how well does UTP work in rented dwellings?