Results 1 to 10 of 18

Thread: Security issue ad-hoc network

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Default Security issue ad-hoc network

    Hi all,

    Currently I'm working as an IT security intern in a big hospital. In one of the wings users reported a new unsecure ad-hoc network.

    Knowing that we only have two small test wlanís (802.1x), we could only come to the conclusion that one of the users has (accidentally?) setup an ad-hoc network.

    Because this could possibly lead a security risk we want this ad-hoc network down.
    To get I down voluntarily, we tried sending out an email regarding this problem to all our users who are working in this wing. Sadly his had no effect.

    So to get the ad-hoc network offline we had to do something else. With the help of some colleagues, I came up with of the following plan: connecting to the ad-hoc network, get the IP address of the host, resolve the hostname of the Pc/notebook, check which user is logged on to this Pc/notebook and mail or call this user directly.

    So far the planÖ When I connect to the access point I get an APIPA IP address, so far no surprise. Next step would be getting the IP from the Ďhostí and resolving itís IP address. But I donít get any IP address of the Ďhostí.
    To get the IP, I tried pinging the whole the APIPA range (169.254.0.0 <> 169.254.255.255) but I only get the connected hosts (including my own netbook).

    So the host of this ad-hoc network probably has 0.0.0.0 as an IP address.

    The action Iíve taken so far is calling the users who are connected to this ad-hoc network. All of these users (or at least they told meÖ) where unaware that they where connected to this ad-hoc network. I told them to disconnect to this ad-hoc network, and helped the people who didnít know how to disconnect.

    So what Iím basically asking here is, what should be my next step? All help is welcome, and thanks in advanced!

  2. #2
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default

    Ad hoc networks act kind of as a virus in Windows. Once you connect to one, if you computer is not currently connected to a network it will then becon out the old ad-hoc network. A good talk about this was given by Simple Nomad back in 2006. You can see the slides here...

    www.nmrc.org/pub/present/shmoocon-2006-sn.ppt

    I don't think that connecting to the network will give you any information unless you get lucky when checking network shares, "Hey, it's Bob's computer!" Aka, they probably don't have their computer set up to bridge their wired connection so ip info/traceroute won't help. Also, I'm always a little hesitant about taking this approach since the network/computer might not belong to the hospital, or at the very least your department so there's all sorts of legal issues. I would highly recommend against doing any other scanning, (such as nmap), since that can occasionally crash stuff, "Hey Bob's defibilator just went dead..."

    You could always just turn on netstumbler, (or better yet kismet since you are reading the backtrack forums), and play a game of Marco-Pollo trying to track down the rogue laptop by its signal strength. It's a pain, but it works.

    Better yet, use this for justification to turn off ad-hoc networks, (there is a setting in Windows for this), as part of your hardening procedure to prevent this in the future. Of course, actually implimenting those hardening procedures is always another problem...

  3. #3
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default

    Oh, and the computer's IP is probably one of the 169.254.0.x ones you saw. If not, (aka they have a static IP address), you should be able to detect it by doing passive sniffing, (hey someone is sending something from a 10.0.0.x address!) since computers are chatty.

  4. #4
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by lakiw View Post
    Ad hoc networks act kind of as a virus in Windows. Once you connect to one, if you computer is not currently connected to a network it will then becon out the old ad-hoc network.
    <---- what he said.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  5. #5
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Default

    Quote Originally Posted by lakiw View Post
    Ad hoc networks act kind of as a virus in Windows. Once you connect to one, if you computer is not currently connected to a network it will then becon out the old ad-hoc network. A good talk about this was given by Simple Nomad back in 2006. You can see the slides here...
    First of all thank you for replaying.

    About the ad-hoc beacons, are you saying the the user who is responsible for sending this these signals might not be aware of what he/she is doing? And that he/she is connecting at home (or whatever place...) to this ad-hoc network?
    But wouldn't I see this as a probed network in Kismet?

    Quote Originally Posted by lakiw View Post
    I don't think that connecting to the network will give you any information unless you get lucky when checking network shares, "Hey, it's Bob's computer!" Aka, they probably don't have their computer set up to bridge their wired connection so ip info/traceroute won't help. Also, I'm always a little hesitant about taking this approach since the network/computer might not belong to the hospital, or at the very least your department so there's all sorts of legal issues. I would highly recommend against doing any other scanning, (such as nmap), since that can occasionally crash stuff, "Hey Bob's defibilator just went dead..."

    You could always just turn on netstumbler, (or better yet kismet since you are reading the backtrack forums), and play a game of Marco-Pollo trying to track down the rogue laptop by its signal strength. It's a pain, but it works.

    Better yet, use this for justification to turn off ad-hoc networks, (there is a setting in Windows for this), as part of your hardening procedure to prevent this in the future. Of course, actually implimenting those hardening procedures is always another problem...
    About the scanning, I understand the legal problems surrounding the situation I described earlier. But if we believe that securing medical information is a bigger security issue then accidentally gaining access to a network we don't own. (I'm not justifying hacking a network you don't own!)

    On the other hand we ruled out the possibility that it is a Pc/notebook/phone from a patient, the network always appears between 8 am and 9 am and always disappears between 4 pm and 6 pm, and only on working day's (mon<>fri).
    Then it could be a PC/notebook/phone bought privately by an employee. Although it is explicitly told to every (new) employee it is forbidden to connect a privately bought piece device to the hospital network or to setup a new/separated network.
    So even it is a privately bought device they are breaking hospital policy (again, I do not state that this justifies hacking a network you do not own), which could lead to possible endangerment of medical information.

    Then about the ad-hoc beacons, are you saying the the user who is responsible for sending this these signals might not be aware of what he/she is doing? And that he/she is connecting at home (or whatever place...) to this ad-hoc network?
    But wouldn't I see this as a probed network in Kismet?

    Quote Originally Posted by lakiw View Post
    Oh, and the computer's IP is probably one of the 169.254.0.x ones you saw. If not, (aka they have a static IP address), you should be able to detect it by doing passive sniffing, (hey someone is sending something from a 10.0.0.x address!) since computers are chatty.
    I did check this again (log file), but the MAC addresses of the ad-hoc network doesn't match with any of the clients that where associated with this network. So it is either the 0.0.0.0 or any other static IP address...

    So the only thing left would indeed be walking around and checking the signal strength... Which is something I can't do because it is to labour intensive .

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    About the scanning, I understand the legal problems surrounding the situation I described earlier. But if we believe that securing medical information is a bigger security issue then accidentally gaining access to a network we don't own. (I'm not justifying hacking a network you don't own!)
    Whatever you believe may run contrary to current laws. Just because they're there sending out beacons, if they're not directly connected to your network, you have no business connecting to them. You'd be doing exactly what you don't want others to do to you.

    On the other hand we ruled out the possibility that it is a Pc/notebook/phone from a patient, the network always appears between 8 am and 9 am and always disappears between 4 pm and 6 pm, and only on working day's (mon<>fri).
    Then it could be a PC/notebook/phone bought privately by an employee. Although it is explicitly told to every (new) employee it is forbidden to connect a privately bought piece device to the hospital network or to setup a new/separated network.
    I think it's pretty obvious you have an employee that's bringing something in and probably doesn't realize that there's a problem. First you need to CYA, which you or your boss should send an email to the affected department reminding all employees that they are not to bring in any unauthorized computer equipment to be used on the grounds. Attached a Read Receipt to it and then double check that all employees have read it. You could state in there that an anomaly has been detected and if this anomaly continues to be detected than further actions will be taken to find the device and punish the person responsible.

    Normally it only it only means instilling fear into the employees that you know something is going on to stop the whatever is going on. If you make it pretty clear that the IT department knows all/sees all/kills all then you'll get your people whipped into shape in no time.

    Or if you want to just have some fun. Make something that looks like a Yagi antenna, connect it to your laptop and just start wandering the halls in the department where you're seeing it. Spend time near the nurses stations just wandering back and forth. If anyone asks what you're doing tell them you've detected a rogue device and you're trying to track it down. Tell them that when you find the rogue it will be confiscated and sent to a forensic lab for analysis. Watch their reactions, chance are, you'll find the guilty party.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    I would definitely go with the advice from streaker on this one.
    Especially the first part. Not sure about the second part but it would probably be fun.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #8
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by archangel.amael View Post
    I would definitely go with the advice from streaker on this one.
    Especially the first part. Not sure about the second part but it would probably be fun.
    I've done the second part for real. It's fun to see their faces when you walk into the room and pull an illegal access point out of the wall. I see "free public wifi" all the time here. I just go into the conference room and tell them to turn off their wifi.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •