My router is being attacked - some ideas?

[privatesam]

Dear all,

Apologies if this is posted in the wrong area. I have searched this topic in the forums but was looking for some opinion and feedback.

Basically I've been teaching myself how to use some elements of Backtrack2 to help secure up my router and wireless network. Finally got my new router from my ISP the other and got the badboy up and running. I was plugged in to the router with my ethernet cable so that I could play with my wireless cards using aircrack and others (Broadcom 4306 and atheros ath0).

I left airodump running for an hour and then came back to my computer and noticed that there was a MAC address communicating with my brand new router!?! I logged into my router and checked that my WEP was on and it was. It wasn't either of my wireless cards so I'm baffled. In my building there's lots of wireless AP's and clients and traffic - could someone really of pentrated my router so efficiently and quickly? I know thats what you guys are talking about in these forums and with PTW etc its meant to be quick. But they would've had to have done a clientless attack and known what they're doing. Surely it would have to be a massive coincidence that someone within range has the ability and tools and desire to crack my WEP and start piggybacking?

Anyway I turned the wireless on my router off and thought about my options. Obviously changing to WPA is sensible and I will do but I'm interested in how I should approach this MAC address who is getting at my router? I personally would like to find out some information about the machine etc who's attacking. I've read other threads about tracking down a client logging on to a router un-authorised but I'm not interested in tracking them down - I'd like to get some information about how their doing it? Or maybe I should just increase the security on my router - WPA and closed MAC address list etc.... still worries me that they could crack other stuff and the last thing I want is someone getting on my network accessing files.....

Anyhoo I know I'll get grilled for posting this but please remember I'm simply asking people's opinions - what would you guys do - just increase your own security measures or attempt some sort of reconnaisance on this invader? How legal is that? I'm not asking for any sort of step by step tutorial or for any busy moderators and coders to post if they don't want to - just some thoughts?

Thanks in advance.

[shamanvirtuel]

wep cracking with ptw is a game ....

http://www.offensive-security.com/mo...crack_ptw.html

any kid can do it
...
activate mac filtering on ur router allow communication ONLY from you cards...........

DISABLE remote administration of the router via wireless......so you need to be physically plugged into the router with a cable to modify settings....

ASAP , i mean when you will master wep attacks, SWITCH TO WPA/AES
with a key of 63 lenght with all chars possibles...

just some little hints

this is not ultimate security, but only the first layers of security for your router, it will avoid so called wepkiddies,wich may get their infos and tools from here or in another forum, to start piggyback .....

[privatesam]

Thanks SV. Also thanks fro Wep-Spoonfeeder - downloaded but haven't had a chance to play with it yet - more pressing concerns! Also I've got ath0 card mainly and I saw on that Wep-Spoonfeeder thread that ath0 cards are having issues - anyway different thread, different topic.

I will implement the security measures you suggested - I just thought it was bizarre that someone else is playing with Backtrack 2 tools within range of my router and using it for illegal purposes. I mean I never see anyone in my block of flats using Linux distro let alone pen-testing ones. But I guess its possible.

I'm also curious about the legality of gathering information on the MAC address thats attacking?

[shamanvirtuel]

well im will try to fix atheros in ws but im coding in blind cause i only use usb cards and atheros usb chipset are not supported by atheros linux driver.... so no atheros at home for testing..........


legality is really a thin thing in most country.....

it really depends on where you are, you must check your local rules....

but in many country, "in the text" you can see that just scanning passively is a little illegal......

[vonyk]

well im will try to fix atheros in ws but im coding in blind cause i only use usb cards and atheros usb chipset are not supported by atheros linux driver.... so no atheros at home for testing..........


legality is really a thin thing in most country.....

it really depends on where you are, you must check your local rules....

but in many country, "in the text" you can see that just scanning passively is a little illegal......

What interests me is that these people are using a public frequency. If you are passively scanning, what's the difference between that and scanning your local police frequency? As long as you don't transmit on the police band then you are in the clear likewise if you don't perform any offensive attacks on someone else's machine I would think you're fine too? Too much grey area...

[PrairieFire]

What interests me is that these people are using a public frequency. If you are passively scanning, what's the difference between that and scanning your local police frequency? As long as you don't transmit on the police band then you are in the clear likewise if you don't perform any offensive attacks on someone else's machine I would think you're fine too? Too much grey area...

Almost all US Govt frequencies are either encrypted or trunked making it hard to "listen" without regulated equipment. Some city Police/Fire/EMS have been utilizing computer networks to receive and transmit call details so even if you can listen you do not hear much.
Passive scanning of open Wi-Fi could be considered as theft if you collected data that was being transmitted.

[SLK001]

Just know that MAC filtering does NOT work in preventing access to your router (most here can spoof your MAC to obtain the necessary access). Setting your router to allow administrative access only through an ethernet connection (RE: disabling remote administration) is a necessity.

You could possibly locate the attacker by triangulating his position using a directional antenna (you can build a pretty good sector antenna that gives decent directionality), but why waste your time.

I doubt that anyone here (who knows what a joke WEP really is) is still using WEP as their first layer of security. As a minimum, use WPA with a NON-DICTIONARY key. As a minimum, four lowercase letters + four uppercase letters + four numbers + four "non-letters" - ie, !@#$%^&*()_+, should comprize your key.

[wallsballs]

Just a quick question, i have a linksys WRT54G flashed with DD-WRT firmware and have employed the following security on my router.

WPA with 63 character alpha numeric with symbols

MAC filtering

Username & password to access the router web base setup.

Disabled Remote Access

But i don't how to stop people access the web based setup pages when there connected to the router via wireless.

I don't even know if my router has this feature, if anyone knows how to do this please reply.

Thanks Adam

[PrairieFire]

Just a quick question, i have a linksys WRT54G flashed with DD-WRT firmware and have employed the following security on my router.

WPA with 63 character alpha numeric with symbols

MAC filtering

Username & password to access the router web base setup.

Disabled Remote Access

But i don't how to stop people access the web based setup pages when there connected to the router via wireless.

I don't even know if my router has this feature, if anyone knows how to do this please reply.

Thanks Adam

Administration - Management - Enable Info Site Disable that option.

[sifuconman]

Just know that MAC filtering does NOT work in preventing access to your router (most here can spoof your MAC to obtain the necessary access). Setting your router to allow administrative access only through an ethernet connection (RE: disabling remote administration) is a necessity.

You could possibly locate the attacker by triangulating his position using a directional antenna (you can build a pretty good sector antenna that gives decent directionality), but why waste your time.

I doubt that anyone here (who knows what a joke WEP really is) is still using WEP as their first layer of security. As a minimum, use WPA with a NON-DICTIONARY key. As a minimum, four lowercase letters + four uppercase letters + four numbers + four "non-letters" - ie, !@#$%^&*()_+, should comprize your key.

Is there a software program that can track down the attacker ?