Page 1 of 5 123 ... LastLast
Results 1 to 10 of 42

Thread: how to indentify a wireless intruder

  1. #1
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    7

    Default how to indentify a wireless intruder

    I've noticed some "out of the ordinary" activity on my AP's connected clients' list.
    I'd like to know if there's something I could do to identify the intruder.

    I do have information about the hostname of the attacker's computer and the MAC of his wireless card, but I do also know that both these parameters can be changed at will.
    Does the AP collect any more data about his DHCP clients?

    Note: I know that the easiest way to cope with this situation is to change password, etc, but please notice that my question regards the identification of the intruder, not the solution to the intrusion itself.

    Thanks.

  2. #2
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    Quote Originally Posted by piramiday View Post
    I've noticed some "out of the ordinary" activity on my AP's connected clients' list.
    I'd like to know if there's something I could do to identify the intruder.

    I do have information about the hostname of the attacker's computer and the MAC of his wireless card, but I do also know that both these parameters can be changed at will.
    Does the AP collect any more data about his DHCP clients?

    Note: I know that the easiest way to cope with this situation is to change password, etc, but please notice that my question regards the identification of the intruder, not the solution to the intrusion itself.

    Thanks.
    Not really (as you pointed out yourself this info can be changed).
    That would depend on your AP (check the logs and the manual for what can be set to be logged) but I really doubt you are going to get any info that would help you much.

    There is proprietary software that can "profile" the unique characteristics of a wireless card, but that is probably going to be cost prohibitive.

    Having said that, you are either best off logging as much as you can and handing that info to the appropriate authorities, Or just changing to better encryption. Be careful that you don't go outside the limits of local and national laws yourself.

  3. #3
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    7

    Default

    Quote Originally Posted by balding_parrot View Post
    Not really (as you pointed out yourself this info can be changed).
    That's what I feared.

    Quote Originally Posted by balding_parrot View Post
    That would depend on your AP (check the logs and the manual for what can be set to be logged) but I really doubt you are going to get any info that would help you much.
    Unfortunately my AP manages to log only so much.
    Considering now the general theory of consumer wireless authentication, which information could be accessed? I honestly couldn't come up with any kind of loggable information other than MAC address and hostname. Obviously I'm not talking about packet inspection or further traffic analysis (that is, monitor web searches or find out email provider).

    Quote Originally Posted by balding_parrot View Post
    There is proprietary software that can "profile" the unique characteristics of a wireless card, but that is probably going to be cost prohibitive.
    Oh, whoa, is there? And what would the procedure be? I'm quite curious: the only "unique" identification string I know of is the MAC address, but I read that it can be changed, even permanently...

    Thank you for your quick reply! :P

  4. #4
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    I am just pondering here so this is not advice just a thought, do not do this (yes Im looking at you piramiday lol)

    What _could_ be the legal side on this train of thought:
    If you own the network then you should be able to do what you want to the network without treading on the toes of the 'computer misuse act' (UK, but guessing many countries have something similar in concept?).

    So could you do a mitm on this person, and look for usernames and identifying information? I am not saying crack passwords or read emails, but from searches etc?

    You are not abusing the network as you own it, and by sniffing traffic without trying to reverse an encrypted/hashed password you are doing anything naughty?

    I am not a lawyer and know nothing on this side, just a thought.
    wtf?

  5. #5
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    7

    Default

    Thank you, Andy90, for your contribution.

    As I already wrote in my previous post (that has not appeared yet), I'd rather avoid such approach, not only because of its dubious legal aspect, but mostly because of my ignorance in such type of monitoring.

    Meanwhile, I have considered another option, that is: listen to my neighbours' wireless area network with particular attention to the connected clients, and then try to discover each client's hostname, comparing it with the intruder's one.
    Assuming that the intruder browses his home WAN using the same hostname as the one used for the intrusion, I could determine if he is one of my neighbours. The same applies for the MAC address.

    So, is there a way to discover the hostname of every wireless client in a specified wireless network?

    Thank you again.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Andy90 View Post
    I am just pondering here so this is not advice just a thought, do not do this (yes Im looking at you piramiday lol)

    What _could_ be the legal side on this train of thought:
    If you own the network then you should be able to do what you want to the network without treading on the toes of the 'computer misuse act' (UK, but guessing many countries have something similar in concept?).

    So could you do a mitm on this person, and look for usernames and identifying information? I am not saying crack passwords or read emails, but from searches etc?

    You are not abusing the network as you own it, and by sniffing traffic without trying to reverse an encrypted/hashed password you are doing anything naughty?

    I am not a lawyer and know nothing on this side, just a thought.
    The OP does not state if this is an Open or Closed network. While it may be a 'private' network, it might not have any encryption. If this is true he could run afoul of computer misuse laws. Since he effectively did nothing to stop someone from connecting to the network.

    Especially if his SSID == "FreePublicWifi".
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by Andy90 View Post
    I am just pondering here so this is not advice just a thought, do not do this (yes Im looking at you piramiday lol)

    What _could_ be the legal side on this train of thought:
    If you own the network then you should be able to do what you want to the network without treading on the toes of the 'computer misuse act' (UK, but guessing many countries have something similar in concept?).

    So could you do a mitm on this person, and look for usernames and identifying information? I am not saying crack passwords or read emails, but from searches etc?

    You are not abusing the network as you own it, and by sniffing traffic without trying to reverse an encrypted/hashed password you are doing anything naughty?

    I am not a lawyer and know nothing on this side, just a thought.
    If you actually are going to go down that road, I would suggest something not that offensive and passively sniff by for example setting up a hub between the wireless router and the internet and then listening with X tool on the hub. Actively poisoning the arp table of the intruder may be illegal but simply passively sniffing on your own network shouldn't - unless of course the SSID sounds similar to "Public WiFi" as streaker says.
    - Poul Wittig

  8. #8
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by streaker69 View Post
    The OP does not state if this is an Open or Closed network. While it may be a 'private' network, it might not have any encryption. If this is true he could run afoul of computer misuse laws. Since he effectively did nothing to stop someone from connecting to the network.

    Especially if his SSID == "FreePublicWifi".
    Seeing as the OP says the best approach probably would be to simply change password I assume that he is talking about a WEP/WPA key.
    -Monkeys are like nature's humans.

  9. #9
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Lightbulb

    Quote Originally Posted by =Tron= View Post
    Seeing as the OP says the best approach probably would be to simply change password I assume that he is talking about a WEP/WPA key.
    Nope tron he is not asking for solution as he has clearly stated
    Note: I know that the easiest way to cope with this situation is to change password, etc, but please notice that my question regards the identification of the intruder, not the solution to the intrusion itself.
    he wants to identify the intruder.in this condition best bet is

    1.check the connected clients in AP homepage
    2.use IDS systems like WIDS
    3.lower the transmit power of AP(if clients are not far away)

  10. #10
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by secure_it View Post
    Nope tron he is not asking for solution as he has clearly stated

    he wants to identify the intruder.in this condition best bet is

    1.check the connected clients in AP homepage
    2.use IDS systems like WIDS
    3.lower the transmit power of AP(if clients are not far away)
    If you re-read my post you will note that I was responding to streaker69's warning about the legality aspect if he is running an open access point. I was simply pointing out that it looks like the OP is using encryption of some sort.
    -Monkeys are like nature's humans.

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •