I've been running a wireless network under WPA-Personal encryption for about a year now.
I've just helped a (non pc-literate) friend install a secured wireless network. She asked me "how do I know if this network gets hacked?"
And, do you know, I couldn't answer her! I assumed any decent encryption would deter any casual war-drivers and the like so it's not a question that I've ever considered.
So............how would you know? Presumably there's software out there that'll flag up intrusion attempts?
If the hacker was using a DHCP IP from the wireless router, then you would see an IP issued to a MAC, which is an unique ID assigned to each NIC wire or wireless that has connected to the router. You can compare the IP and associated MAC's in the router's DHCP table screen to a MAC on the private LAN by going to each machine on the private LAN and doing IPconfig /all can compare MAC(s).
But a hacker can use a static IP on the router so that it doesn't show in the router's DHCP table. If the router has a syslog feature, then you can use something like Wallwatcher or other such software and you can see all IP(s) DHCP or static and see what connections are being made.
formatting link
These are just two ways. I am sure there are more on the wireless side of the situation.
Good question. It's exactly like someone breaking into your house while you're away. You can tell by something is missing, something is messed up, or something is added. If you had a burglar alarm, the alarm might go off if someone broke in and did nothing (tourist). The alarm can also go off because of door rattlers, critters, earthquakes, etc.
The computer version is identical. There are programs that you can run that will detect, block, notify, and log intrusion attempts. For example:
formatting link
use Log Viewer
formatting link
works on a limited set of routers and gives considerably more info than just intrusion attempts. Also a wide variety of SNMP based systems.
These are the burglar alarms that will indicate that something unusual or unexpected is happening or has happened. The problem is that they generate considerable output and require some vigilance on the part of the user. Knowing what an attack looks like and what thing look like normally, are also helpful.
Something missing is often easy to miss. More likely, the files that are missing were copied and not removed. For example, some attacker copying the registry files and cracking the passwords at their leisure is difficult to detect. Same with copying personal documents. If you leave important documents on your machine, at least encrypt them so they don't get stolen.
More commonly, something gets added or replaced on your machine. That's the virus, worm, trojan horse, key logger, spam reflector, or similar evil software. For example, an installed key logger will build a file of all you keystrokes, and send it off to the evil hacker. If there are any passwords or credit card numbers in there, it can be extracted. In most cases, such malware can be detected by a virus scanner and a spyware scanner. The problem with these is that they often detect the addition or replacement file AFTER they have been installed. By then, it may be too late. Some of these can be detected by the network traffic they generate, but that requires more monitoring.
When I clean a machine from malware, the most common question is "where did it come from". Quite often, the question revolves around wireless security, which is rarely the culprit. I have yet to see much in the way of direct wireless attacks by hackers installing malware. Unfortunately, I've seen the exception. Customer goes to a hotel and decides to save dollars by using an open access point instead of the pricey hotel system. The open system had a script running that detected connections, looked for open shares, and filled his machine with executables that were full of malware. This is not exactly your situation, but should be considered. If you're worried about someone breaking into your wireless system, one also should worry about them breaking into the computers on the LAN.
In most cases, the break in doesn't even touch the computers on the LAN. The attacker doesn't want to destroy your system. They want to use your broadband internet connection to surf the net for free. The politics and legalities get thick at this point. Policy can be anything from wide open permissive to draconian security measures. You decide for yourself. There are systems designed to make it easy:
formatting link
My attitude is that I don't mind people using my internet connection as long as I know who they are and how to contact them. Of course, abuse, spamming, excessive traffic, file sharing, p*rn, etc are discouraged.
The various software packages are useful for detecting such wireless tourists. You can also see them appear in the router logs and sometimes in the DHCP table. However, these again require log reading and vigilance. Most commonly, an unwanted user is detected by the traffic they generate. I get calls asking if it's normal for the wireless light on the router to be flashing all the time and for the connection to be slower than a snail. This is usually an obvious clue that someone is using the wireless. Just watching the lights is a helpful clue, but not a guaranteed burglar alarm. It's also subject to false alarms, such as when various software packages decide to do their updates.
In general, WPA with a sufficiently long and complex encryption key, is sufficient security. The real weakness with such a shared key is that users can "leak" the encryption key. I went to party once and noticed that the WPA key was scribbled on a piece of paper near the router. During the party, I declared that I could crack the encryption in a few minutes. I did some hand waving, some magical incantations, and I was instantly on their wireless network. I was hailed as a great hacker. Then I told them that I already knew the encryption key in advance and how I found it. If you leave the key in plain sight, expect to be hacked by your friends.
- Make a rule in the firewall to deny UDP port 53 outbound from ANY machine except the computer running DNS Redirector - Change the DHCP scope of the LAN to hand out the IP of the computer running DNS Redirector as the default DNS server - Set Logging=Full in the dnsredir.ini file, look for any IPs that aren't your and see where they are surfing to.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.