I have various tools such as Xirrus, Network Stumbler, inSSider, that allow me to see Wireless Access Points but what I'd like to be able to do is see all wireless devices eg laptops, smartphones, etc.
Surely the same technology that detects WAPs should be able to see anything else? Is there such a product, preferably that runs on Windows?
Kismet. Hit "c" to show client radios:
Kismet will run on Windoze under Cygwin. I'm not sure if it will show clients as the Windoze device drivers have some limitations as to what they will allow you to sniff.
Otherwise, download and run Kismet from a Linux DVD or flash drive.
Download wireless network watcher from nirsoft.net
not really what the OP is looking for - it's just your normal IP ping inventory gathering utility..
Thank you. Just to clarify - will Kismet let me see any client regardless of whether or not it is connected to my network?
I don't want to sniff data, I just want to know what client devices are in the vicinity.
A nice handy set of utilities which I have downloaded anyway but as Jeff says they won't let me see client radios under Windows.
Correct and I can get that information just by looking at Attached Devices from the router admin. Nice to get an HTML report though which I've pasted into Word and added relevant configuration information.
Yes. Kismet is a passive sniffer (i.e. doesn't transmit) and will detect all wireless devices and capture all wireless traffic.
Thanks again. I'll create a Linux disk for my Windoze machine and see how I get on.
Funny you should mention Kismet. I hadn't run it in months and for some reason I felt like setting it up yesterday using the latest "git". I see a few Vizio TVs and a wireless tivo. Otherwise the same old same old.
Apple is still doing well based on my "study". Nearly everyone is using encryption. Why anyone would not use encryption is beyond me.
I hate Cygwin. I suppose if somebody set it up for you and plug and play, it may not suck.
Needless to say, your wifi needs "monitor" mode for kismet to work. My chipset of choice is the rtl8187l.
Backtrack is a good idea. You should try to hack yourself once in a while. I'm not all that concerned about the wired lans and such, but wifi is another story. I set up DD-WRT. I forget the buzzword, but I believe I isolated the wifi from the wired.
In the kismet.conf file, there is a section about "Is the transmission of the keys allowed." I turn this off since I'm not going to WEP crack. I don't use WEP and sure as hell aren't going to crack some network I don't own. I believe this is the only condition where kismet will transmit.
I also don't enable pcapdump in the log. It eats up space on the drive, and I don't want any packets stored. [Don't confuse me with Google.] I just want to know who is out there and what channels they are using.
It is interesting to use kismet in the boonies or at repeater sites. Quite a bit of I presume telem goes over wifi for repeaters. In the boonies, there is the occasional wifi for infrastructure. Trains for instance. Also power lines.
The RF smog is substantially wider than what you can ping. In fact, I tweak my router to make long distance use less effective.
So you really want a passive sniffer, just to see who is out there and where they are talking.
Not sure if that is a statement or a question.
I recently had a report from my ISP that spam was coming from my static IP eg:
Received: from [my.ip.nnn.nn] (helo=uydhnswb)
In a belt and braces exercise I:
1) Scanned the two Windows machines (one XP one Win 7) with various virus and malware scanners but they were clean.2) Blocked Port 25 on the router and set all email to go port 587 using STARTTLS
3) Set router logs on.4) Checked that the router (Netgear D834G V5) could not be accessed from the outside. It has a strong password (well 11 characters, mixed case and numbers not spelling any word).
5) Altered the WPA2-PSK passphrase which is only 8 alpha-numerical but hopefully enough (it is surprising how many wireless device one now has, an old XP, an Android tablet, two mobile phones, a Wii).I used to have entries such as:
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is dropped! Wednesday, Apr 17,2013 20:35:29 [DOS Attack] : 1 [ACK Scan] packets detected in last 20 seconds, source ip [64.120.227.243] Friday, Apr 19,2013 16:59:00and I think I had an unexpected activity on an internal IP (10.x.x.n) but I seem to have lost it.
My ISP is expecting a deluge of Port 25 attemtps at some stage though the router logs have been clear since I shut it down overnight a few days ago.
My router logs are not helped by the fact that every time the internet disconnects, which is frequent as I live in a small remote village, the router loses its date/time and reverts to 01 Jan, 2003.
Anyhow there are one or two people in this small community who I don't trust and neither their friends and I want to see what devices are passing by or are regularly in the vicinity. The house is 15m set back from the road and I'm hoping that is too far but then the router is on the window sill.
So that is why I'm having to do home IT support and waiting for a "b_o_m_b" to go off :(
Any sensible suggestions welcomed.
That's the beginning of an SMTP session. Most likely, you have some flavor of virus on one of your machines that is sending out spam.
Bad assumption. Most spambots only operate when your machine is NOT busy.
Yep. Your router is sending spam from some machine.
Run your router off a UPS or gel cell battery if 12V. Or, enable NTP in the router config.
Ahem... are you sharing your static IP with friends and neighbors? Since the only thing the ISP is seeing is the outgoing traffic, it all looks like it's coming from your static IP. I suggest you inspire your friends and neighbors to clean up their mess.
Sniff the traffic on the WAN (internet) side of your router using Wireshark. If you see outgoing SMTP traffic, then try to determine which of your local LAN IP's is generating the traffic. You may have to do some wireless sniffing, but it's much easier to just force a wireless disconnect while it's happening and see if the traffic stops.
(...)
Compliments of Aaron Leonard:
802.11 Sniffer Capture Analysis Wireless Sniffing in Windows 7 with Netmon 3.4and much more on 802.11:
As I've mentioned I've run a variety of checks. My XP machine has AVAST which I've run and my wife has Win 7 with MSE which I've run, then I've downloaded and run Eset and Trend Micro on both machines, plus Malwarebytes Both machines are kept fully patched. I run Netvada software firewall which requests permission for any new program. I'm stuck as to how to uncover the culprit if there is one.
I haven't yet tested the Toshiba Android Tablet, and I don't know how to test the Windows HP514 or the Nokia E72 smartphones but their wirelesses are rarely on. I assume the Wii is safe.
The one thing that seems to generate traffic when the machine is not busy is Skype which is installed on both machines. I have NetWorx
Well there had been about a dozen when the ISP alerted me. They were expecting a deluge and I'm waiting for them to appear in the router logs as it now reports any attempts to Port 25 but they have yet to materialise.
The router is on a UPS and NTP is enabled. The connection is almost certainly dropped somewhere on the line to the exchange. A few months ago we (the ISP and me) tried to isolate where it could be. The router is plugged straight into the master socket now. There is a consistent event at around 3.20am but neither I nor my neighbours have anything running at that time. Otherwise I get about 4 or 5 drops a day. I have a quality filter. Until we get decent copper in and a route away from overhead power lines I think it is just something we have to live with - but it messes up my logs.
Absolutely not. And I wouldn't know how. Router connected direct to telephone line. I have an NSA that I played with enabling for external access but it hasn't been switched on since last October and I disabled all the associated settings on the router (except I note I have UPnP still enabled.
I could email you my IP if you want to see if you can break in.
One fear is that my old neighbours were without phone and internet prior to moving and I set them up to access my wireless. There is a remote possibility they gave the key to my new neighbour whose friends I wouldn't trust and that is why I've changed the key - but it is not very likely that they did that unless they wrote it down and left the piece of paper lying around.
Well as I've set a rule to disable Port 25 I get a log entry, eg when I tried to Telnet port 25 it fails and get the entry:
Firewall: packet drop. 10.0.0.151(4788) --> [mailhost address](25), Protocol TCP. Wednesday, Jan 01,2003 08:29:16
That should I hope be sufficient.
There have been no unusual log entries for several days, but then there could be something just lurking.
since you are in a small area, you could also setup a "honeypot" WiFi router....
setup another "open" WiFi router, without connecting to the Internet, but with an open SSID and DHCP and see what you catch :)
Replace "so" with "thus." I've been hanging around the geeks for too long. However, if it was a question, I would have used "So do you.." and ended with a question mark. I am not of the grammar challenged broken shift key texting generation, though I probably am grammar challenged a bit.
I had a recent hacker attack and had the opportunity to run all the free anti-virus (AV) programs. When the dust settled, nothing was found. MS Security essentials was good enough. What some of the other brands did was go in my email box and find mail I had already put in the trash or had moved to a folder via "rules" in Thunderbird that did contain viruses, but were never installed. [Seriously, who opens attachments these days?] Some were false positives based on looking up the viruses on the internet. I was surprised when the dust settled that no AV was really superior in this showdown. If you want the AV with the most false positives, that would be Kasperky. Of course, it doesn't hurt to run down all those false positives.
My understanding is there is a virus clearing house of sorts, so all these AV programs eventually catch up to each other. It may be that one is better with heuristics than another, potentially catching a virus before it is known.
The vector for the hack attack was some OSS that the hosting company uses to provide web email. I hate web email. It encourages bad practices like letting the browser store passwords.
Don't try to find the culprit until after you've sniffed the WAN side traffic to make sure there's actually something worth uncovering. This won't be the first time an ISP has made a mistake. I dealt with an accounting package that would send an email (using it's own SMTP client) every time the program would startup. The problem was that it was being run under Virtual Box, which somehow convinced the program that it should spew announcemnts every 5-10 minutes. The ISP was looking for identical messages, and found that mess. It took me a month to identify the culprit as I wasn't sniffing when the bookkeeper was using the machine. Anyway, try to see what's moving. The culprit is usually obvious once the traffic is identified.
I have no idea, nor do I think it's a good assumption to assume anything is safe.
That's normal. Skype uses a distributed directory server scheme, where everyone can act as directory server. Skype tends to generate lots of traffic. Shut it down while testing to avoid clutter.
Skype always uses peer-to-peer for calls and for directory lookups.
Sniff the WAN traffic. The easiest way is with a 10baseT (not
100baseT) ethernet hub (not a switch). Traffic in one port goes to all the ports in a hub. Plug it between your modem and router. Add a monitor PC running sniffer software, such as WireShark.If your router is on a UPS and NTP is working, then it should NOT lose the clock settings. Something is wrong. Most likely the UPS isn't fast enough to stop glitches, which are reseting the router. If your unspecified model router is running from 12VDC, add a BFC (big fat capacitor) across the power connector going into the router, and you should be ok. I have about 20,000 uF 12V on some of mine, which is good for about 0.5 to 1 second of power loss for a typical 0.5A current draw router.
Drops for how long? I was getting that with my home DSL for a while. I had to climb the pole and rework some of the rotted connections and splices. End of problem. The clue was a slight crackle on the POTS line.
If you have a TDR (time domain reflectometer), you can locate the pole or box where there's a problem. It's not easy, takes experience, but can be done.
I think you mean NAS box. My Buffalo something NAS box created a bit of a problem when I had the built in Bitorrent server enabled. I fixed that, but forgot the FTP server, which repeated the problem. Some day, I might even read the instructions.
Nope. Too busy. I have jury duty next week, and am trying to catch up on everything that resembles a potential crisis.
Bingo. Change the WPA2 key. Also look at the MAC addresses in the router client table to see if there's anything that you can't identify.
Fine, but it's still being generated by something on your network. Methinks it would be a good idea to find it instead of hiding it by blocking outgoing port 25.
Yes I can do this but I like ps56k's idea of setting up a "honeypot". I've got spare WAP and router and providing I can log it is almost a zero effort exercise.
Router is Netgear D834G V5.
The drops are just for a few seconds. Nothing else eg digital clocks, phones etc are affected. No lights flickering. We are on the limit from the exchange, at least 6km. Many folk get nowhere near the
My stats show:
ADSL Link Downstream Upstream Connection Speed 3328 kbps 448 kbps Line Attenuation 61.5 db 31.5 db Noise Margin 7.0 db 16 db
No. When my next door neighbour had a serious problem BT (I'm UK based) ended up moving his telephone onto a different pair rather than track the problem He never got over 1.2mbps.
Yes, NAS.
I have changed the key, there wasn't anyway but I now have a record of all MAC addresses.
Well blocking port 25 creates a log entry which is not hiding it, eg:
Firewall: packet drop. 10.0.0.151(3760) --> 212.23.3.98(25), Protocol TCP. Friday, Apr 19,2013 11:37:14 (this was me testing a telnet to port 25)
I'm not now getting entries so either it was a transient or there's something sleeping until May Day. The ISP has closed the incident.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.