Is there a program out in the great wide world that can detect when people try to connect to my wireless network?
for example, if i had a neighbor (FOR EXAMPLE only) that was trying to crack my WEP or just trying to simply connect to my wireless internet, woudl a program be out there that would alert me?
thanks in advance, sorry if it is a dumb question...
Jazz Mann
Linux, MacIntosh, Unix, or Windoze?
It won't detect a WEP cracker. That's done by sniffing your wireless traffic and recovering the WEP key from the captured traffic. Since that does NOT require a connection to your system, you can't detect it. However, if they succeed in cracking your WEP key, and connect to your system, any of the wireless intrusion detection systems should work.
If Windoze see:
There are no dumb questions. However, it would be nice to know what hardware and software you have availiable to do this.
I found this but I haven't tried it yet. It's free for private use. It looks like what you want.
Opps...Jeff's post showed up late on my news server. Same program. Looks interesting.
Bruce
Not too dumb. If they're just listening, you're totally out of luck. If they try to connect, one possibility would be to regularly check the arp tables on your LAN for any newcomers, although if they spoof existing corresponding MAC and IP addresses, this would be missed.
Otherwise......??
If I"m reading the docs on that AirSnare program correctly, you can send a message to the intruder. You might get creative with the message and point out dire consequences of continued break-ins. Of course, if everyone does this, the bluff is called.
Because it's fun to send everyone in your workgroup or domain a message. Try it: Start -> Run -> cmd net send * "This is a test."
Reading more, it looks like AirSnare just uses windows messenger service to alert the intruder. Don't most people turn that off now due to spyware? Perhaps there's a more nefarious way to send a message.
Well, think about that one for a second. If you have duplicated both the MAC and IP address on two machines, the wireless bridge or ethernet switch in between will be totally confused. My guess is traffic to the two stations will come to a grinding halt or at least become very erratic. I've seen the results of duplicated IP addresses and basically, things don't work. In order for an attacker to take advantage of both a borrowed IP and MAC address, they would need to somehow remove the original owner of the MAC and IP address from the system. That can be done by simply waiting until they turn off their machine. Or there are active ways that might work. However, as long as there are two identical computers on the system, they simply won't work well. Why bother?
Such spoofing is a real danger in securing a wireless network. That's why 802.1x authentication was implimented. With authentication, it's insufficient to simply own the MAC addresses. One needs to also have anything from a RADIUS login/password to an X.509 certificate to use the system.
I do have an idea of how to detect a duplicate MAC and IP situation. The valid wireless client probably uses DHCP to obtain their IP address. The fake client probably uses a static IP address to assign the same IP address. If the DHCP lease time is sufficiently short, the lack of a DHCP lease renewal request will indicate that the fake client is using a static IP address and is probably a hacker. This may take a while to detect, but be sufficient to set off a warning.
Jeff Liebermann wrote: ....
If they spoof both a MAC and corresponding IP address while the "real owner" is disconnected, it'll be hard to detect an intrusion. Do you know anything that will detect this particular situation?
Check the arp tables every minute or two. Easy on u*x, but probably possible on w*ws too. I have a job, running about every minute, that pings all legitimate hosts on my small home LAN, and reads the arp table to check whether any changes have been made. Not entirely bomb-proof, but any casual spoofing of existing IPs will be found, and anyone snooping on the monitoring machine will leave arp traces.
Just out of curiosity, if there was something, what would you do next?
Sorry. I didn't catch that. (The price of yacking on the phone while typing replies).
I run into that every few months. Usually on system with lots of static IP's or after a router shuffle. The last one was two routers on a 5 static IP DSL line with duplicated IP's. No way to use arpwatch or other tools to discover the duplication. Took me 3 hours to find and isolate the culprit.
Well, I've been assuming that you want a passive detection system. If you went active and probed each machine for a "security signature" with NMAP or something similar, you could differentiate your valid machines from a fake. Just leave a few random IP ports open that lead nowhere on your firewall. Maybe install some kind of auth responder service. If a port scan of those IP's shows open ports or activity, it's a real user. If not, it's fake. Not exactly the most sophisticated authentication scheme, but certainly workable.
Pretty sure that "windows messenger service" has to be enabled on the intruders machine in order for AirSnare to send nasty message. Wise people disable "windows messenger service", including bad guys.
Could well be. Things might change, but at present, I don't have a suitable card for airsnare-like programs, hence the somewhat passive approach. I have wondered what the current state of ping-of-death packets is -- maybe something like this could be sent to an intruder ("abandon hope all ye who enter this network" perhaps?) or maybe ip stacks are getting too robust???
I'm presently eyeing up ebay for a cheap suitable card. Anyone know what chipset tp-link use?
Jeff Liebermann wrote: ...
...
Which is why I said . The "bother" may simply be a possible DOS attack. IP doesn't exactly work terribly well with duplicated IP addresses, and the symptoms can be, to say the least, confusing. I spent a happy day or so a few years back tracking a rogue machine down on a complex network of around 500 machines. That was *after* we twigged what had happened. Non-trivial.
With my own small network in mind, I use static assignment, so that won't work. I'd guess the substitution of such a rogue machine is of itself undetectable on the wire; have to wait for secondary effects (login fails or whatever) to take place.
Obviously, the better solution is to use a strong encryption algorithm.
What O/S? How 'devious' do you want to be? Know your systems, and an intruder will stick out like Mount Everest.
[compton ~]$ whatis nmap p0f nmap (1) - Network exploration tool and security scanner p0f (1) - identify remote systems passively [compton ~]$If I attempt to connect to port 137-9, or 445 on my systems, the connection is refused (maybe you can guess why). Should a connection be accepted, I know there is a problem. Perhaps, I also have something listening on port
15150 (or anything else) that replies to any connection attempt with an ICMP Type 12 Code 1 and closes the connection. Further, I could have it such that the port is changed for every attempt, and is never used again in a predictable sequence today (or tomorrow, or next week). Or, if you really want to be different - stroke the port using any of the OTHER 137 protocols _besides_ TCP or UDP that are acceptable in an IP packet.Is network programming not your favorite task?
[compton ~]$ whatis hping2 nc ngrep hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts nc (1) - TCP/IP swiss army knife ngrep (8) - network grep [compton ~]$And if those aren't on your *nix box now, I'd bet it takes less than 3 minutes to locate the tarballs.
Old guy
BEEEEEEEEPPPPP BEEEEEEEEPPPPP BEEEEEEEEPPPPP "Missile launch in 30 seconds"
Less spyware than Internet spam - At work, we port shift outgoing DNS queries (about the only UDP allowed through the firewall now) so that there is nothing going out using ports 1025 to (say) 1075. Our upstream can therefore just drop all inbound UDP in those ranges, so that even if we _had_ any windoze boxes, they wouldn't see that crap. As messenger is not an Internet standard, our non-windoze boxes ignore it anyway.
10, 9, 8, 7 ;-)Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.