Robafo
join:2004-03-08
Crete, IL
| Kicking off unauthorized user
I have a 2Wire homeportal(I think it is a 1000HW, have to check when I get home). We currently have 3 computers hooked up wirelessly. I was looking at the config page about 2weeks ago, and noticed another wireless device connected and active. It was named something weird like dj-89P7G blah blah. Anyway, I changed the SSID and turned off broadcast (those were left on as defaults) I also changed the password to something besides the default serial number. The mystery device disappeared until last night. Is there anyway to kick this device off, or see if it even has any activity? I can't figure out who would be connected, because we live in a semi rural area, and neighbors aren't exactly right next door. I looked up something call Airsnare, but I'm not exactly sure how it works, so I don't want to start playing with it yet.
Sorry if this needs to go in security or something, this seemed like the best place for it.
Thanks! |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL | If the homeportal doesn’t support WPA PSK, buy a wireless router or access point and wireless cards that do support WPA PSK.
--
Jim Anderson |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
| reply to Robafo
You can try 'arp -a' and see if it has sent any broadcasts.
If the device shows a DHCP address issued, you can try and ping it.
Airsnare ...
You could also check out myWIFIzone listed here: »www.nonags.com/nonags/miscnet.html (I have not tried it).
--
Robb Topolski  http://www.funchords.com/  Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Robafo
join:2004-03-08
Crete, IL
| reply to Robafo
So is the built in WEP pretty much worthless? I can check at home, but I am pretty sure the 2Wire doesn't support WPA.
I'm not familiar with the output for arp -a, what would I be looking for? Is Airsnare a useful tool for this sort of problem?
I'm mostly jsut worried becuase there is now an unknown behind the firewall, and I'm worried about new issues suddenly popping up.
THanks again for the input. |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
| If someone wants to get in, WEP won’t stop them (as you have already discovered). Circuit City has the Netgear WGR614 router and the Netgear wireless G cards for $30 each after rebates in there add for this week. I know the router and the notebook card support WPA.
--
Jim Anderson |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to Robafo
said by Robafo  :I'm not familiar with the output for arp -a, what would I be looking for? Give it a try now.
And if you see that same MAC address in the arp -a output, that would mean that the MAC address has been seen by that machine inside your LAN.
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Robafo
join:2004-03-08
Crete, IL | I do arp -a, and all that shows up is the MAC address of the 2Wire, is there a different argument I should be using?
I wish there was a way to just boot off certain devices  |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| No.
So far, the 2-wire is the only thing recently heard by that machine.
You can see other ID's if they talk. One way to make them talk is to ping them first, then run the arp -a command.
By the way, this is a weak suggestion. If someone is trying to clandestinely use your network, they probably are using a firewall and have turned off anything that would broadcast. It's only possible that they might not have taken those precautions.
If you router doesn't have a feature to knock them off (most don't), I don't know of any other way. (That freeware software I pointed you to does seem like it might do what you want.)
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Robafo
join:2004-03-08
Crete, IL
| reply to Robafo
I just took another look at that software, I will try it tonight. It says on the FAQ that you can block by IP or MAC, so theoretically would't it be easy to release/renew for a new IP and spoof the MAC? How much trouble is it worth to use someone else's wireless  |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
| reply to Robafo
Well, changing the SSID and turning SSID broadcasts off isn't going to do much of anything against anyone determined.
Even if your device only supports WEP, for the time-being, I'd go ahead and enable it, even if you're going to be getting WPA-PSK compatible equipment soon.
The best place to look for them would be in the DHCP clients table. If they've connected, they've also probably pulled a DHCP lease. If not, you could always see if they show up with a ping sweep scan of your subnet in nmap, although anybody good enough to circumvent WEP is probably running a firewall.
You also mentioned mac address filtering. This too won't offer any real security, the unwanted client can still clone the mac address of an allowed client.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 8800+ messages currently using 268 MB (11%) of my 2442 MB |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
·Time Warner VOIP
| reply to Robafo
If you have an option to ENABLE AN ACCESS LIST,no one should be able to get on (A list of mac address's allowed to use the network)
You could also UNPLUG YOUR CABLE MODEM UNTIL THE DEVICE DROPS,THEN RE-CONNECT IT WITH THE "ACCESS LIST" ENABLED.......
Good Luck  |
|
DUH
@bcvloh.ameritech
 from:
Bill
| Man did you read the post before yours? MAC filtering is WORTHLESS. There are two way to make sure this person stops using his wireless: Get a new access point and enable WPA-PSK with a good key, or he can set up a separate network with the wireless that is isolated from his primary network and VPN through it.
The new access point with WPA is a much better and easier way to go of course |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA |  reply to Robafo
I wonder why MAC filtering is useless!!!! It certainly makes it harder to get on!!
 |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| said by Dude111 :I wonder why MAC filtering is useless!!!! It certainly makes it harder to get on!! Because MAC addresses are both easy to monitor and easy to spoof with no special skill required.
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
nrf
join:2003-02-20
Morrow, OH
·Future Nine Corpor..
·Embarq
·AT&T CallVantage
 ·RoadRunner Cable
| reply to Robafo
for all intents and purposes, WEP is essentially broken/insecure now. I recommend folks bite the bullet and start looking for bargains to replace their equipment with WPA-capable gear. no sense having your neighbor or a drive-by sending out spam on your behalf.
"get over it" !
nrf |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
| reply to Dude111
said by Dude111 :I wonder why MAC filtering is useless!!!! It certainly makes it harder to get on!! Most NICs let you clone different mac addresses into them.
You can sniff traffic for an "allowed" mac address, then clone it into your NIC. Boom, you've got connectivity.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 8800+ messages currently using 268 MB (11%) of my 2442 MB |
|
MystBlade
Premium
join:2002-10-21
Lacey, WA
clubs:
| reply to Robafo
I just ban mac addresses in my router. Or i setup a little DMZ and let them sit in it. Sure it says they are connected but they cant do anything, no access to any resources or internet.
Someone can just spoof another mac addy and attempt to get in.
Or you can limit the range of IP's on your subnet and just do static addressing. So lets say you have 7 devices that require an IP so you just allow 7 IP addys like 192.168.1.1 thru 192.168.1.7
Then with all your IP's taken up knowone can get an IP. No matter how good a hacker they are (*note unless they get into your router somehow and change your settings) your all good without any secuirty enabled. However this is a far far far more administrative overhead and must people like DHCP.
--
P4 3.73Extreme Edition 1066FSB |Dell Gen4 XPS |4GB (4X512) Corsair XMS XLPRO (Dual Channel mode)|ATI Radeon X850 XT PE|SB Aguity 2Z|2X74GB Raptor SATA Raid 0|24" Dell LCD Monitor 12ms|12X Pioneer DVD Burner|Windows XP 64-Bit |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| said by MystBlade :Or you can limit the range of IP's on your subnet and just do static addressing. So lets say you have 7 devices that require an IP so you just allow 7 IP addys like 192.168.1.1 thru 192.168.1.7 This is incorrect.
All I would have to do is set my own adapter to a static address of 192.168.1.142 (or any number between .8 and .254) and I would be happily cruising your network.
Static DHCP is a convenience feature, it is not a security feature.
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| If you were to change the subnet on your network to 255.255.255.248 (/29), that should give you 7 usable hosts (192.168.1.1 through 192.168.1.6) and a broadcast address of 192.168.1.7.
But there isn't anything stopping them from setting their own static IP within that range and causing "Duplicate IP conflicts" on the network and still getting onto the network.
As you said, I wouldn't really consider it a large security feature.
--
Network Status
Weather Stats
Xfire |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| said by Bill :As you said, I wouldn't really consider it a large security feature. Actually, also not a security feature -- IMHO.
Just my opinion: Reasonable people can look at these same set of facts and disagree.
My test of a security feature is this: Security features are engineered to provide some form of protection of privacy, against disruption, or against intrusion. Static DHCP and tight netmasks are not engineered with security in mind.
Another way to look at it is this: If you can exploit it such that you can gain access, disrupt, or evesdrop, would it be considered a bug (error, fault, or failure) of that particular feature? If the answer is no, then it's not designed for security.
The fact that we can roll-our-own IP addresses, or duplicate existing ones (and fight for dominance:D), is not a bug in TCP/IP.
Non-technical folks come here looking for answers. I think we do well if we make clear distinctions between what is and isn't security. We geeks love to configure things, and we find some of these clever things useful. But it's just not security.
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
