+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Wireless Networks Thread, Wireless Hacking in Technical; So we have some clever clogs who are attempting to hack our wireless network, which while unlikely to succeed, is ...
  1. #1


    Join Date
    May 2009
    Posts
    2,937
    Thank Post
    259
    Thanked 773 Times in 588 Posts
    Rep Power
    284

    Wireless Hacking

    So we have some clever clogs who are attempting to hack our wireless network, which while unlikely to succeed, is causing our radius server some unnecessary work. We want to track them down.

    We have a Meru system and can see the AP they are using, so we know approximate location, we also have a MAC address - assuming it is not being spoofed. What tools can we use go the last few yards and collar the perpetrators?

  2. #2
    hallb15's Avatar
    Join Date
    Jan 2012
    Location
    Leeds
    Posts
    405
    Thank Post
    462
    Thanked 231 Times in 149 Posts
    Rep Power
    74
    Use a site like MAC_Find: Vendor/Ethernet/Bluetooth MAC Address Lookup and Search to find the manufacturer of the device. That will help narrow it down. Especially if its a smartphone.
    As you know the approx. location, you could use CCTV to look for anyone acting suspiciously with said brand of device above.

  3. Thanks to hallb15 from:

    pcstru (13th May 2014)

  4. #3

    abillybob's Avatar
    Join Date
    May 2013
    Location
    Shropshire
    Posts
    2,450
    Thank Post
    209
    Thanked 306 Times in 227 Posts
    Rep Power
    205
    Get a cocker spaniel I hear they're great for sniffing out trouble

  5. #4
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,762
    Thank Post
    897
    Thanked 416 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    86
    I'd use MAC address filtering on the network and just deny that specific MAC address.

    In terms of finding them, just look on the wireless controller for when they are active and go round a look at the computers. You will catch them eventually.

    We had exactly the same problem a while back and found a room upstairs with some laptops that a student had going for 2 weeks! It can really pull a network down. We found this just by walking round.

  6. Thanks to zag from:

    pcstru (13th May 2014)

  7. #5


    Join Date
    May 2009
    Posts
    2,937
    Thank Post
    259
    Thanked 773 Times in 588 Posts
    Rep Power
    284
    The MAC relates to android. @zag, I'm tempted to block the MAC at the core switch but a MAC can be spoofed too easily for that to be a robust solution. An ideal solution might be something that will look at all wireless traffic, filter on a MAC address and present a signal strength. We are quite a large school so there are hundreds of students having around, all looking at their phones!

  8. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Depending on how long your radius logs are kept before they're rotated, chances are one of the kids involved will have tried his school username to login.

    Search the event logs for the offending mac address + username.

  9. 2 Thanks to pete:

    pcstru (13th May 2014), zag (13th May 2014)

  10. #7
    hallb15's Avatar
    Join Date
    Jan 2012
    Location
    Leeds
    Posts
    405
    Thank Post
    462
    Thanked 231 Times in 149 Posts
    Rep Power
    74
    Use arp to get the IP address from the MAC address.
    Or try LANSpy Network Security & Port Scanner - LanSpy its useful to have anyway.

    Have a play with wireshark to look at packets from that IP addr and see if you can find out what they are doing...

  11. Thanks to hallb15 from:

    pcstru (13th May 2014)

  12. #8
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    I'm guessing they are trying to hack the wifi because they don't have the credentials to be able to log-in and use it ?

    Do they not have the credentials because they are not supposed to use the Wi-Fi ? or do they just not know the security passphrase ?

    If they do have access and are trying to get the Pass-phrase then chances are they will be using a tool such as Cane & Abel to try and show the password - then I'd block the MAC address at the Core Switches, shame you aren't using captive portal then - any blocked MAC addresses will be redirected to a website - then you could display something like 'this MAC address has been banned.'

  13. Thanks to cpjitservices from:

    pcstru (13th May 2014)

  14. #9

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,843
    Thank Post
    583
    Thanked 2,162 Times in 987 Posts
    Blog Entries
    23
    Rep Power
    627
    Moving to Wireless Networks forum.

  15. #10


    Join Date
    May 2009
    Posts
    2,937
    Thank Post
    259
    Thanked 773 Times in 588 Posts
    Rep Power
    284
    Quote Originally Posted by cpjitservices View Post
    I'm guessing they are trying to hack the wifi because they don't have the credentials to be able to log-in and use it ?

    Do they not have the credentials because they are not supposed to use the Wi-Fi ? or do they just not know the security passphrase ?
    Both! It seems to be the type of attack you might use on a secured domestic access point. The RADIUS authentication for that SID is looking for machine credentials prior to an exchange of keys (that's as I understand it).
    If they do have access and are trying to get the Pass-phrase then chances are they will be using a tool such as Cane & Abel to try and show the password - then I'd block the MAC address at the Core Switches, shame you aren't using captive portal then - any blocked MAC addresses will be redirected to a website - then you could display something like 'this MAC address has been banned.'
    I'm not very keen on relying on MAC address in this situation because of the ease of spoofing it. I suppose blocking it makes it no worse for us but I don't want to give them any heads up. I really want to be able to collar them!

  16. #11
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Quote Originally Posted by pcstru View Post
    Both! It seems to be the type of attack you might use on a secured domestic access point. The RADIUS authentication for that SID is looking for machine credentials prior to an exchange of keys (that's as I understand it).

    I'm not very keen on relying on MAC address in this situation because of the ease of spoofing it. I suppose blocking it makes it no worse for us but I don't want to give them any heads up. I really want to be able to collar them!
    Collar them ? when you block the MAC address... and that person can lo longer get access to anything at all... They may not know about MAC spoofing because hacking access points really is childs play, they may have done it at home with standard Thomson/Techicolor routers but now it's more sophisticated.

    They may just come knockin' and say.... 'I cant get on the wifi' ....

  17. #12


    Join Date
    May 2009
    Posts
    2,937
    Thank Post
    259
    Thanked 773 Times in 588 Posts
    Rep Power
    284
    Quote Originally Posted by hallb15 View Post
    Use arp to get the IP address from the MAC address.
    Or try LANSpy Network Security & Port Scanner - LanSpy its useful to have anyway.
    Have a play with wireshark to look at packets from that IP addr and see if you can find out what they are doing...
    They are not on the network so don't have an IP address. I think kismet would be able to raw monitoring (rfmode) which would let us see traffic and the mac address, I really need to then be able to distinguish the signal strength to do warm/cold and close in on their physical location. Either that or we somehow let them have a key so we can reel them in - honeypot?

  18. #13
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Quote Originally Posted by pcstru View Post
    They are not on the network so don't have an IP address. I think kismet would be able to raw monitoring (rfmode) which would let us see traffic and the mac address, I really need to then be able to distinguish the signal strength to do warm/cold and close in on their physical location. Either that or we somehow let them have a key so we can reel them in - honeypot?
    Reel them in sounds like a plan. If you let them on they will have an IP, then locate the IP to the closest Access Point if you can and then you'll be close. How are you going to give them the wifi passphrase though ?

  19. #14


    Join Date
    May 2009
    Posts
    2,937
    Thank Post
    259
    Thanked 773 Times in 588 Posts
    Rep Power
    284
    Quote Originally Posted by cpjitservices View Post
    Collar them ? when you block the MAC address... and that person can lo longer get access to anything at all... They may not know about MAC spoofing because hacking access points really is childs play, they may have done it at home with standard Thomson/Techicolor routers but now it's more sophisticated.
    Collar them - yes! I want them to know if they try it, they will get caught and there will be consequences. They may not know how to spoof an MAC but it is so trivial that if they don't give up, it is almost certainly their next port of call.

    Kisment will let me see the packets, I just can't see how to get a handle on the signal strength in relation to a MAC address.

  20. #15


    Join Date
    May 2009
    Posts
    2,937
    Thank Post
    259
    Thanked 773 Times in 588 Posts
    Rep Power
    284
    Slightly amusing aside, when I was out looking for them, I spotted some lads acting suspiciously round one of the bike cages. They were trying to hack a combination padlock - so at least I can chalk up one hacker today!

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. How to secure a wireless network against hacking attempts?
    By Thelps in forum Wireless Networks
    Replies: 7
    Last Post: 22nd January 2013, 01:29 PM
  2. Wireless ... Give me your brains
    By ajbritton in forum Wireless Networks
    Replies: 36
    Last Post: 25th October 2005, 07:47 AM
  3. Fujitsu Seimens Amil Pro 2010 Wireless
    By Mango_RW in forum Hardware
    Replies: 11
    Last Post: 27th September 2005, 07:54 AM
  4. Wireless signal Levels
    By ChrisH in forum Wireless Networks
    Replies: 2
    Last Post: 19th July 2005, 09:08 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •