Intrusion Detection Tool?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Does there exist a software application for Windows XP that  
provides intrusion detection for wireless client? I am looking only  
for something that is more or less a *complete* package, not  
something where I have to fish around and install separate packages  
from different sources. I want something fairly easy to install and  
use.


Re: Intrusion Detection Tool?
On Sat,  9 Nov 2013 10:45:58 +0000 (UTC), Anonymous

Quoted text here. Click to load it

Not exactly for a wireless "client" but might be what you need.
<http://home.comcast.net/~jay.deboer/airsnare/
--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Intrusion Detection Tool?
wrote:


Quoted text here. Click to load it

Well, I must confess that I haven't tried Airsnare for many years.
I'll give it a try, when I have time.  Kinda busy right now.

Quoted text here. Click to load it

Groan.  I hate it when that happens.  Here's a report from 2011 that
it works on Win 7 with WinPcap 4.12.  See reviews.
<http://download.cnet.com/AirSnare/3000-2092_4-10255195.html

Quoted text here. Click to load it

Serious Wi-Fi is an oxymoron.

If you must roll your own, search for a "MAC address scanner".
Hopefully, a program can be found that will produce an ordered list of
MAC addresses that it finds on the network.  Then, compare the list
with a previously saved list or with a "white list" of known MAC
addresses.  If it finds a new and unknown MAC address, fire off an
alarm.  Probably can be written in almost any programming language.
(Note:  I'm a lousy programmer).

Something like AngryIP:
<http://angryip.org/w/Screenshots
should work, but only if the rogue MAC address has successfully
obtained an IP address.  It seems to be a common characteristic of
such programs.  That's little like catching a burglar after they have
already entered the house.  Sniffing the network, like AirSnare is
better, but scanning might be good enough.  Dunno.

Here's another that looks like it's worth a try:
<http://www.colasoft.com/mac_scanner/

Nmap can also scan a range of IP addresses and produce the
corresponding MAC addresses:
   nmap -sP 192.168.1.0/24
I would provide a sample output, but it seems that my last adventure
in network shims has broken WinPcap and/or Nmap.  Sigh.  See #9 belwo:
<http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/

For Linux, try arp-scan:
<http://linux.die.net/man/1/arp-scan
<http://www.nta-monitor.com/tools-resources/security-tools/arp-scan
<
http://www.youtube.com/watch?v=oou6qKXMMG0


In all cases, the mechanism is the same.  Save the output and compare
it with a "white list" of MAC addresses.

--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558


Re: Intrusion Detection Tool?
wrote:

Quoted text here. Click to load it

Nmap was radically out of date.  No clue how it got down-reved so
badly.  Probably some program I installed that included WinPcap, that
left WinPcap behind when I later uninstall the program.  Argh.

Sample output on my office network:

C:\Nmap>nmap -sP 192.168.111.0/24
Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2013-11-22
20:40 Pacific Standard Time
Host 192.168.111.1 appears to be up.
MAC Address: 00:22:75:D5:FE:40 (Unknown)
Host 192.168.111.9 appears to be up.
Host 192.168.111.85 appears to be up.
MAC Address: 00:01:E6:3F:54:A6 (Hewlett-Packard Company)
Host 192.168.111.101 appears to be up.
MAC Address: 00:0D:56:80:4F:51 (Dell Pcba Test)
Host 192.168.111.119 appears to be up.
MAC Address: 00:18:DE:A2:05:27 (Unknown)
Host 192.168.111.120 appears to be up.
MAC Address: 00:0E:08:DC:F8:42 (Sipura Technology)
Host 192.168.111.234 appears to be up.
MAC Address: 00:18:F5:02:3A:59 (Unknown)
Nmap finished: 256 IP addresses (7 hosts up) scanned in 4.922 seconds

192.168.11.9 does not show a MAC address because Windoze doesn't
support SYN scans on localhost.  Grumble...



--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Intrusion Detection Tool?
On 11/22/2013 8:47 PM, Jeff Liebermann wrote:

Really, you need to do this on linux. I've had nothing but aggravation  
with winpcap, especially on 64 bit systems. Of course, I have had  
problems with the disty version of Kismet at times, so you do need to be  
prepared to compile it yourself. Wireshark on the other hand has always  
been solid on linux over the years.

Note if you are looking for intruders, you need to look for mac  
spoofers. That is, they will try to look like one of your clients.  
Kismet can detect spoofing. I'm not positive how, but IIRC the program  
looks for significantly different signal strength level with the same mac.

Most intruders will have weak signal strength and often be at the  
minimum data rate (1Mbps).

I set up the timing on DDWRT for a short range. Not aggressively short  
since I didn't feel like experimenting to see what value finally break  
the service.

See sensitivity range:
Quoted text here. Click to load it





Site Timeline