Slashdot Mirror
Ask Slashdot: Dealing With an Advanced Wi-Fi Leech?
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
And punch him in the nose.
WPS works by giving out your WPA keys, so if they've gotten in once through WPS, they will continue to have access.
UTP
Yes, I'm left. You have a problem with that?
Setup squid and redirect all web traffic through it. Replace all images on machines that are not yours with goatse.
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
...I think that means he's consenting to letting you administrate his system. I suggest you do so.
Log in to the Evil Twin network. Start a bunch of illegal torrents and "accidentally" alert the appropriate parties by IP address. Some appropriate in-theater movies and the MPAA would be a good start.
//TODO: Think of witty sig statement
So then he sets his MAC address to one on the allowed list. Not exactly a tough thing to do.
The first thing would obviously be MAC whitelisting on the router, though if he is smart enough, he would just spoof his MAC to one of the ones on your network, so its unlikely it would stop him. Depending on where you need your wireless router, have you considered turning down the radio strength and putting the router in an area where it covers where you want to use it without the WiFi signal going too far outside the bounds of your house?
Doubt that would work. The leecher has already demonstrated a knowledge of layer-2 attacks against 802.11, I doubt limiting your DHCP scope is going to stop them. They'll just null handshake one of your devices off the WLAN.
-Reduce transmit power
-Move or buy a directional antenna
Have time on your hands?
http://www.ex-parrot.com/~pete/upside-down-ternet.html
If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.
Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.
The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.
Do i really have to say it? WPA2, 63 characters pwd.
To FBI surveillance van.
If you find him, give him props and buy him a beer and ask him to share how he's doing what he's doing with you. Sounds like some pretty cool shit.
-1 Uncomfortable Truth
start knocking on doors and asking your neighbors if they would mind terribly if you spoke with their 15 year old son for a few minutes, because you've determined he's been hacking your wifi. Eventually, you'll hit the right house. For the wrong houses, act confused and say you must have miscalculated by a house or two, and that you're sorry. Bring cookies to show you're not an ass, though.
If someone had an extension cord plugged into my outside outlet and it ran to their house to steal power, I would walk over, knock on the door, and ask them to stop it. And yes, I would also unplug it.
If you have the means to determine where they are it's worth asking them to stop. That alone might change their attitude toward poking at networks.
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
I use reserved MAC addresses and a non-trivial WPA2 password. The router won't connect any unknown MAC addresses.
That seems to work for me.
If they crack that, they aren't leeches. They are crooks. Call the FBI.
"For every complex problem there is an answer that is clear, simple, and wrong."
-H. L. Mencken
Brute force attacks take time, lots of time. Just start changing your key every week and he will probably go away. Having your computer run 96 hours to get a password that then changes 72 hours later just isn't worth it, even for a criminal. If he keeps at it then someone just enjoys the challenge, and you should hunt them down just for the mystery.
Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.
They probably are the FBI...
NO NO NO
Create a GUI in Visual Basic and track his IP.
So yes, I've dealt with it. The easy solution is go wired for a while, setup a honeypot and track them down. Once you know where they are let them know you are less than pleased and if they don't stop there will be a call to the FCC and local authorities as well as a civil suit for harassment. If you can't go wired Lower your ACK timing and transmit power so they can't get a good signal without standing on your doorstep. switch to a certificate based system instead of a password based system with a new ssid. On the new system setup a proxy that requires additional authentication to reach the internet. Assign static macs to your own devices and block all other local IPs via iptables to prevent them from self-assigning one. As for deauthentication attacks, the best bet is to find them and ans send over a nastygram.
Get a web developer
Let's see...
As per OP set up MAC address filtering, if this guy is trying to set up evil twins & trying to do handshake captures on your network, MAC addresses are spoofable.
I also like to hide the SSID just to make things harder, but if he's passive listening, that may not help either... though at this point, a hidden SSID with WPA2 encryption does not make for an attractive target, esp. when the MAC needs to be spoofed (I wouldn't know this till i broke through the 1st 2).
However, the single most effective thing you can do is limit your antenna's radius... if your router's stock firmware can't do it, dd-wrt and friends can. Stand outside your house till you can't connect to your wifi at your fence anymore, adjusting the radius in increments.
Last, but not least, go buy a steel fish line and drywall saw at home depot and wire up your house w ethernet ports and disable your wifi. Tough luck on the phones though, unless you can find an adapter for them.
There are two ways of dealing with this: getting this person off [i]your[/i] network, and getting this person off [i]everyone's[/i] network.
Personally, I think if you can get everyone to squeeze him off their networks then that will probably be the nicest kind of vengeance.
Consider writing up a simple letter (starting with: Just a note from a neighbor), detail that someone in the area has been breaking into wireless networks and may be pirating stuff/doing illegal things which could lead to difficulties for the actual owner of the OP. Then, provide a basic summary of what to do to avoid it (e.g. disable WPS, etc etc) and maybe even provide URLs for the major router manufacturers.
With [i]some[/i] luck, [i]some[/i] people will pay attention and lock down their network.
If you know who it is doing it (using handy phone apps to detect signal strength, or a directional antenna) then you could do a 'special' letterbox drop for that one person with a 'how to buy an internet connection'.
Mind you, if this person is using an 'evil twin' they may be doing more than just stealing Wifi. If their MAC address is stable (i.e. they are not modifying it) you may want to capture some sample traffic with that included. If things do go awry you can use that to provide evidence it was that person's computer, possibly.
Make a little shield with a bit of foil and a coathanger. While tracking the incoming attempts, shield your WAP from various directions until it stops. Gives you a direction, and you can bend the coathanger into a little stand to hold the shield in place next to your WAP. It's likely to be in the direction of a near wall, isn't it?
Amazing stuff, tinfoil.
Do not mock my vision of impractical footwear
Knock up a cron job to change your WPA2 key every 24 hours. Use a QR code generator to print out the code on paper for your new key every morning, so you can just snap it with your phone and you're on. He'll get bored of trying to break something that changes faster than he can break it, and he'll move onto someone else.
Agree also with disabling wireless at the times he uses it, and when you're not, if this is feasible for your lifestyle.
And 5GHz also sounds sensible.
If you do find out who he is, change your SSID to *his* name and address. That should freak him a bit.
This is why I am flabbergasted that with all the problems people have with security with WEP and WPA that it never occurred to anyone to do a DHE key exchange before swapping anything that requires the preshared key and adding an artificial minimum to the time between authentication attempts of any kind, such as 15 seconds. That would instantly fix the current weakness with WPA2 and slow down all unknown attacks in the future.
Calling local ham radio enthusiasts would probably lead to some very entertaining results.
The most memorable story I've ever heard along those lines was that a couple of hams had access to a fairly large dish antenna and were setting up some sort of satellite communications (for work, not play). A guy nearby was running a horribly unshielded CB amplifier that was crapping all over their signal. They told him to knock it off. He refused. They pointed out that he was blowing way past FCC limits on transmission power. He ignored them. They pointed the dish straight at his shack and transmitted maximum power at it. Within a few minutes smoke was pouring out of it... bet you could fry a router pretty easily.
The evil twin makes finding the culprit a cakewalk. Download inSSIDer and walk around. When the evil twin's signal is strongest, you're outside his door.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Why would he even send a DHCP request?
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
# cat
Damn, my RAM is full of llamas.
Freeloading? If that was his only intention, he wouldn't have troubled to set up the evil twin. This guy is serious trouble, and you don't want him on your LAN.
And somebody like me would completely own you for it:
1. I have the technical know how to set my SSID to hidden: red flag #1
2. What else do I have running if my SSID is hidden?
In my case, I log all my traffic, and honestly it might take me a second to notice, all it would take is a few hiccups of my bandwidth for me to take a quick look at the settings and at that point, I'd log your traffic for a while, see what I can gather, and go find a zero-day, break through, escalate privilege, send your pr0n to your mom via the facebook login I logged, and delete your registry before I'm done.
So in short, you never quite know what you're logging into when you go rogue on wifi :)
No. In this case it is irrelevant. The attacker has already demonstrated relatively sophisticated attacks. We are well past SSID broadcast as being remotely relevant.
He is using tools that will find your network regardless of whether SSID is on or off. There is no point in inconveniencing yourself.
Its the equivalent of trying to hide by putting on dark clothes and a hat when you already know your pursuer is using infrared, passive sonar, and motion sensors to find you.
Make sure you don't allow admin over wifi. Most routers have a setting so you can only administer it from a wired connection. This isn't an absolute or a fix for the base situation, it's just an extra hurdle for them if they get in and want to screw with you for fighting back.
It is widely known by security professionals that hiding your SSID actually decreases security. For starters, it is easy enough to sniff a SSID out of the air. What is more concerning is that wireless clients configured to connect to a hidden network will constantly try to connect to any wireless network, essentially asking "Are you my network?" A malicious access point could say, "Yup, sure am!" At that point your wireless client will be more than happy to divulge your preshared key. There are even affordable retail products that accomplish this out of the box. Check out the Wi-Fi Pineapple.
Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.
WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.
In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
This story contains a hilarious amount of bullshit.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
"My guess is that this individual is conducting illegal activities through yours and your neighbor's connections"
This is highly likely. The guy has invested much time and effort in this so they clearly have motives other than saving a few bucks. OP should make attempts to locate this guy and to shut him down. Use laptops or cell phones with wireless monitoring applications to locate the guy's AP. Nothing too fancy, just do a bit of sneaker-netting while watching the signal strength. You don't need to triangulate the location to within a foot, you just need to get a general idea of where this thing is. Once you get close you should be able to tell which building/car it is in. If this yields inconclusive results then contact the local HAM club. They may be able to assist you in locating a rogue AP or wifi leech in exchange for beer and pizza.
Also, OP needs to file a police report. Will the police do anything? No, of course not. However, it will help to shield OP from liability when the FBI comes knocking in regard to whatever illegal activities are being conducted through his internet connection. He'll be able to point to the police reports as evidence that someone else was on the network long before the authorities showed up.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Anyway, in case it is genuine: Somebody has been freeloading, so what?
Ask yourself, why would someone go to such great lengths to use someone else's bandwidth?
Give me Classic Slashdot or give me death!
Leaving aside the fact questionable legality of your little nerd-vigilante justice fantasies and granting for a moment that the fact that what the guy is doing is technically a felony...
Ignoring the possibility that the poor sap that opens the door might have nothing to do with the attempt - could be his 15 year old kid... worse yet, it could be a zombie machine trying to connect...
Leaving all that aside and assuming that everything is as it appears on it's face. You go over and knock, assault the guy and get the right person...
This all falls under a category I like to call "things I don't want to have to explain to a judge".
TL;DR: You're being criminally stupid.
Touch everywhere, even when inappropriate.
First of all, just to be clear: this isn't leaching, this is someone doing something nefarious. If they just wanted free bandwidth, they would never set up an evil twin network. Most of the replies on this thread are bad advice assuming it's a leech. The person responsible might be nearby, but probably not; if you track down the computer that's responsible, you're likely to find that its owner doesn't know what's going on and it's been taken over by an anonymous attacker over the Internet. Or you'll find a PwnPlug.
The first thing you need to do is notify the police that you're being targeted by hacking. This is important; if your computer/network is taken over and used for something illegal, which is likely to happen, this will protect you. Second: you need to notify your employer, as well as anyone whose confidential data you're in possession of. And third: you need to harden your computer security, and figure out why you might have been targeted.
On a modern network, it is.... at least at the consumer level where nobody knows how to configure a subnet manually, but if you're managing any kind of large scale network it becomes very difficult to work with static configurations on every workstation even when you know how.
My point is that it is *incredibly* trivial to connect to a wireless router that has DHCP enabled and just use an IP address of your choosing. It's a perfectly normal thing to do if you want to be able to predictably SSH a machine or something, and even MS Windows has a GUI way of doing it. Somebody who is sniffing network traffic and cracking encryption keys can easily determine which addresses are already in use, and in practice, if you take an address at the high end of the range (e.g. 192.168.1.250), you won't run in to any trouble with other clients.
# cat
Damn, my RAM is full of llamas.
Do a quick search online to get hold of some identity theft / credit card harvesting malware and modify it so it sends the capture to you.
Then, setup a transparent linux proxy server that replaces any executable file downloaded with your malware, and put it between your internet connection and an open wireless network.
Let the little turd use your free wifi internet to his heart's content, and wait for him to install the malware when he's trying to install something legitimate. Then, wait for your malware to send you the details of who he is, what his credit card numbers are etc.
Finally, go to the local coffee shop that gives out free wifi with every coffee purchased, and drop all those details you collected on pastebin.
Problem solved.