Security issue ad-hoc network

[NovoNL]

Hi all,

Currently I'm working as an IT security intern in a big hospital. In one of the wings users reported a new unsecure ad-hoc network.

Knowing that we only have two small test wlan’s (802.1x), we could only come to the conclusion that one of the users has (accidentally?) setup an ad-hoc network.

Because this could possibly lead a security risk we want this ad-hoc network down.
To get I down voluntarily, we tried sending out an email regarding this problem to all our users who are working in this wing. Sadly his had no effect.

So to get the ad-hoc network offline we had to do something else. With the help of some colleagues, I came up with of the following plan: connecting to the ad-hoc network, get the IP address of the host, resolve the hostname of the Pc/notebook, check which user is logged on to this Pc/notebook and mail or call this user directly.

So far the plan… When I connect to the access point I get an APIPA IP address, so far no surprise. Next step would be getting the IP from the ‘host’ and resolving it’s IP address. But I don’t get any IP address of the ‘host’.
To get the IP, I tried pinging the whole the APIPA range (169.254.0.0 <> 169.254.255.255) but I only get the connected hosts (including my own netbook).

So the host of this ad-hoc network probably has 0.0.0.0 as an IP address.

The action I’ve taken so far is calling the users who are connected to this ad-hoc network. All of these users (or at least they told me…) where unaware that they where connected to this ad-hoc network. I told them to disconnect to this ad-hoc network, and helped the people who didn’t know how to disconnect.

So what I’m basically asking here is, what should be my next step? All help is welcome, and thanks in advanced!

[lakiw]

Ad hoc networks act kind of as a virus in Windows. Once you connect to one, if you computer is not currently connected to a network it will then becon out the old ad-hoc network. A good talk about this was given by Simple Nomad back in 2006. You can see the slides here...

www.nmrc.org/pub/present/shmoocon-2006-sn.ppt

I don't think that connecting to the network will give you any information unless you get lucky when checking network shares, "Hey, it's Bob's computer!" Aka, they probably don't have their computer set up to bridge their wired connection so ip info/traceroute won't help. Also, I'm always a little hesitant about taking this approach since the network/computer might not belong to the hospital, or at the very least your department so there's all sorts of legal issues. I would highly recommend against doing any other scanning, (such as nmap), since that can occasionally crash stuff, "Hey Bob's defibilator just went dead..."

You could always just turn on netstumbler, (or better yet kismet since you are reading the backtrack forums), and play a game of Marco-Pollo trying to track down the rogue laptop by its signal strength. It's a pain, but it works.

Better yet, use this for justification to turn off ad-hoc networks, (there is a setting in Windows for this), as part of your hardening procedure to prevent this in the future. Of course, actually implimenting those hardening procedures is always another problem...

[lakiw]

Oh, and the computer's IP is probably one of the 169.254.0.x ones you saw. If not, (aka they have a static IP address), you should be able to detect it by doing passive sniffing, (hey someone is sending something from a 10.0.0.x address!) since computers are chatty.

[theprez98]

Ad hoc networks act kind of as a virus in Windows. Once you connect to one, if you computer is not currently connected to a network it will then becon out the old ad-hoc network.

<---- what he said.

[NovoNL]

Ad hoc networks act kind of as a virus in Windows. Once you connect to one, if you computer is not currently connected to a network it will then becon out the old ad-hoc network. A good talk about this was given by Simple Nomad back in 2006. You can see the slides here...

First of all thank you for replaying.

About the ad-hoc beacons, are you saying the the user who is responsible for sending this these signals might not be aware of what he/she is doing? And that he/she is connecting at home (or whatever place...) to this ad-hoc network?
But wouldn't I see this as a probed network in Kismet?

I don't think that connecting to the network will give you any information unless you get lucky when checking network shares, "Hey, it's Bob's computer!" Aka, they probably don't have their computer set up to bridge their wired connection so ip info/traceroute won't help. Also, I'm always a little hesitant about taking this approach since the network/computer might not belong to the hospital, or at the very least your department so there's all sorts of legal issues. I would highly recommend against doing any other scanning, (such as nmap), since that can occasionally crash stuff, "Hey Bob's defibilator just went dead..."

You could always just turn on netstumbler, (or better yet kismet since you are reading the backtrack forums), and play a game of Marco-Pollo trying to track down the rogue laptop by its signal strength. It's a pain, but it works.

Better yet, use this for justification to turn off ad-hoc networks, (there is a setting in Windows for this), as part of your hardening procedure to prevent this in the future. Of course, actually implimenting those hardening procedures is always another problem...

About the scanning, I understand the legal problems surrounding the situation I described earlier. But if we believe that securing medical information is a bigger security issue then accidentally gaining access to a network we don't own. (I'm not justifying hacking a network you don't own!)

On the other hand we ruled out the possibility that it is a Pc/notebook/phone from a patient, the network always appears between 8 am and 9 am and always disappears between 4 pm and 6 pm, and only on working day's (mon<>fri).
Then it could be a PC/notebook/phone bought privately by an employee. Although it is explicitly told to every (new) employee it is forbidden to connect a privately bought piece device to the hospital network or to setup a new/separated network.
So even it is a privately bought device they are breaking hospital policy (again, I do not state that this justifies hacking a network you do not own), which could lead to possible endangerment of medical information.

Then about the ad-hoc beacons, are you saying the the user who is responsible for sending this these signals might not be aware of what he/she is doing? And that he/she is connecting at home (or whatever place...) to this ad-hoc network?
But wouldn't I see this as a probed network in Kismet?

Oh, and the computer's IP is probably one of the 169.254.0.x ones you saw. If not, (aka they have a static IP address), you should be able to detect it by doing passive sniffing, (hey someone is sending something from a 10.0.0.x address!) since computers are chatty.

I did check this again (log file), but the MAC addresses of the ad-hoc network doesn't match with any of the clients that where associated with this network. So it is either the 0.0.0.0 or any other static IP address...

So the only thing left would indeed be walking around and checking the signal strength... Which is something I can't do because it is to labour intensive .

[streaker69]

About the scanning, I understand the legal problems surrounding the situation I described earlier. But if we believe that securing medical information is a bigger security issue then accidentally gaining access to a network we don't own. (I'm not justifying hacking a network you don't own!)

Whatever you believe may run contrary to current laws. Just because they're there sending out beacons, if they're not directly connected to your network, you have no business connecting to them. You'd be doing exactly what you don't want others to do to you.

On the other hand we ruled out the possibility that it is a Pc/notebook/phone from a patient, the network always appears between 8 am and 9 am and always disappears between 4 pm and 6 pm, and only on working day's (mon<>fri).
Then it could be a PC/notebook/phone bought privately by an employee. Although it is explicitly told to every (new) employee it is forbidden to connect a privately bought piece device to the hospital network or to setup a new/separated network.

I think it's pretty obvious you have an employee that's bringing something in and probably doesn't realize that there's a problem. First you need to CYA, which you or your boss should send an email to the affected department reminding all employees that they are not to bring in any unauthorized computer equipment to be used on the grounds. Attached a Read Receipt to it and then double check that all employees have read it. You could state in there that an anomaly has been detected and if this anomaly continues to be detected than further actions will be taken to find the device and punish the person responsible.

Normally it only it only means instilling fear into the employees that you know something is going on to stop the whatever is going on. If you make it pretty clear that the IT department knows all/sees all/kills all then you'll get your people whipped into shape in no time.

Or if you want to just have some fun. Make something that looks like a Yagi antenna, connect it to your laptop and just start wandering the halls in the department where you're seeing it. Spend time near the nurses stations just wandering back and forth. If anyone asks what you're doing tell them you've detected a rogue device and you're trying to track it down. Tell them that when you find the rogue it will be confiscated and sent to a forensic lab for analysis. Watch their reactions, chance are, you'll find the guilty party.

[Archangel-Amael]

I would definitely go with the advice from streaker on this one.
Especially the first part. Not sure about the second part but it would probably be fun.

[Barry]

I would definitely go with the advice from streaker on this one.
Especially the first part. Not sure about the second part but it would probably be fun.

I've done the second part for real. It's fun to see their faces when you walk into the room and pull an illegal access point out of the wall. I see "free public wifi" all the time here. I just go into the conference room and tell them to turn off their wifi.

[newkoba]

I see this all the time where I work. What I do here is run WiFiFoFum on my iPaq and when it picks up a p2p connection I go wandering watching the signal levels until I find it and then remove it from the available networks on that person's computer / pda. Not really hard plus it'll get you out of your normal area for a bit.

[Barry]

I see this all the time where I work. What I do here is run WiFiFoFum on my iPaq and when it picks up a p2p connection I go wandering watching the signal levels until I find it and then remove it from the available networks on that person's computer / pda. Not really hard plus it'll get you out of your normal area for a bit.

My normal area used to be a 100 mile radius and 24 different buildings. Now I have one building to worry about.