Locking WiFi

page: 2
1
<< 1    3 >>

log in

join

posted on Nov, 29 2013 @ 07:58 PM
link   

PhoenixOD
One of the better forms of protection you can use is to replace you 360 degree omni directional aerial is a directional antenna. Then place your AP hard against a wall or corner of a room and point it into your house. You can then adjust the strength of the signal so it only goes to the other side of your house.

You can check the strength of the signal at the furthest point from your AP in your house using a wifi audit tool. There many free ones to choose from.

This is the system many clued up businesses use. If its done right then no one can read or mess with your wifi at all.

edit on 29-11-2013 by PhoenixOD because: (no reason given)


You know, I like to think I am mechanically inclined "for a woman". I change my own brakes, put up my own ceiling fans, have laid wood floors and tile, but I'm either just getting older and less patient, or that sounds a bit complicated for some reason to me. Hmmm, I will have to look into it if this doesn't work, and I thought I did pretty well limiting devices that can log on by my own mac addresses, and now you tell me it's lousy?!

Sigh.... hoping you are wrong or this kid isn't that creative!




posted on Nov, 29 2013 @ 08:36 PM
link   
reply to post by UnifiedSerenity
 


Yes it just takes a single command to spoof a MAC address



Don't rely on MAC filtering alone, however. Please, just don't. It's a bad idea. People seem to think "Oh, well, sure a determined attacker can get past it, but not anyone else." It doesn't take much determination at all to spoof a MAC address. In fact, I'll tell you how:

1 - "Listen" in on network traffic. Pick out the MAC address. This can be done with a plethora of freely available security tools, including Nmap.
2- Change your MAC address.

You can spoof a MAC address when using Nmap with nothing more than a --spoof-mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of "0", it will even generate a random MAC address for you.


How to spoof a mac address

Spoofing MAc addresses in linux and windows

edit on 29-11-2013 by PhoenixOD because: (no reason given)



posted on Nov, 29 2013 @ 08:48 PM
link   
reply to post by PhoenixOD
 


You're just a thrill a minute Phoenix! Well, I haven't been knocked off all day, so maybe this will work. If I find other problems, I will look into your solution. I just hope the lil bast..... isn't reading ATS.



posted on Nov, 29 2013 @ 09:41 PM
link   
reply to post by UnifiedSerenity
 


Glad i could help..i think lol



posted on Nov, 29 2013 @ 11:09 PM
link   
reply to post by UnifiedSerenity
 


Ima gonna throw my 2¢ in here. Theres some misinformation and disinformation in this thread, but thats not the point of this reply.

Basically yes, they are proforming a deauthentication attack against your bssid. As it was talked about before, if you don't have de-auth sensing theres not much you can do, and I can tell you aprox 80% of consumer grade routers and switches do not* that being said, of that 80% about 75% of them support something called dd-wrt. Custom firmware for your router, in a linux-esk envrioment with WAY more control over your hardware.

Now that the back information is over with, what can you do? Well, locking down all mac addresses but those on your network is a good start, but ... it dosent help. really at all. a few simple commands on linux i can spoof your address, and bam im in. so what next?

Well you can turn off the broadcasting of your bssid, awesome! But now what? Given enough time/traffic which depends on your use and how far or close said attacker is, there will be enough packets sniffed to recover your ssid, go back to mac spoofing, and bam, im in again. so now what?

Well you can make it a bit harder for me, or someone like me to get in by reducing your beacon interval which is basically what it sounds like, how many times a second/minute a beacon gets sent out saying who i am and what i offer. But, again given enough time, data, and traffic, and depending on proximity they can and still will get in.

Now, as far as MITM yes, they exist, and what they specifically try to make vunerable is the stupidity of people. If you ever randomly disconnect, or your router restarts, windows (or what ever host OS your using) auto reconnects, and it never asks you for a password unless you removed it from the saved history.

So what can you do? All of the above. Make it as hard as possible for said attackers to get in, more often then not most attackers give up after a time limit. Personally for me its about 30 minutes. Doing pentesting if I cannot reveal a usable/spoofable mac address / bssid in under 30 minutes its likly that im not going to in the next 30 minutes. Most move on.

Also you could get a newer/nicer model router something that supports dualband, specifically the 5ghz range. Not many exploits and hacks have been made, not to say there isnt any, cause there is. But most of the hardware out there is very limited for support, and even less support for pentesters and scripters.

I didnt mention it, but you should be using WPA2 AES or AES/TKIP as it provides the most superior protection currently avaiable. use strangely long passwords.

And one last point about passwords, its not about the password, but how long it would take to crack it. mydogskip123 isnt nesseciarrly a bad password, 12 letters long, letters and numbers, its fair. but in a brute force scenario it would be cracked fairly quickly if done straight forward, with wpa2 aes protecting it, the password is hashed and salted making it much harder, and longer to crack, but again not impossible. and with todays graphics cards, even on the cheaper end of things most laptops can crunch about 10,000 passwords a second. In laymans? The average laptop made within the last 4 years, with just about any graphics card in it could crunch the entirety of WEP in under 1 day. @ 10,000 passwords a second, approx. 8 hours.

If youd like more information about anything, or links, sources, citations, or even information on how to do what your neighbor is doing, and alternativly how to do it back at him, or even just catch him doing it (because it is illegal) please let me know either here, or U2U as I don't want to break any T&C but at the same time, I find it my right to stand up against cyber bullies, or any bully for that matter.

So, TL : DR to recap, mac adress filtering is a good start, longer beacon interval times, not broadcasting bssid, all good things. But if you really want this nosey neighbor to go away, make it almost impossible for him to join in, and just start broadcasting on 5ghz.

Love and peace, and best of luck with the wifi.
edit on 29-11-2013 by tbonedude because: (no reason given)


"but I really want to identify who is doing this and politely deal with the situation.

Any ideas? "

Yes to this specifically, any laptop, almost any wireless card, any opperating system(even android, and im sure IOS) once you find his mac, weather hes spoofing or not, you can simply target just that address, and walk around until the beeping gets louder. kind of like a metal detector.

Look for a mac address that looks like this 00:11:22:33:44:55
edit on 29-11-2013 by tbonedude because: (no reason given)



posted on Nov, 30 2013 @ 12:53 AM
link   
There is some good information in this thread but also some soso info.

here is my 2 cents:

1 - do not broadcast SSID, and prevent ping or ICMP
2 - use wpa2
3- for your SSID make it as long and as random as possible
4 - use a really long strong password for the wpa2 like from here:
www.grc.com...

5 - change the mac address of your router if it allows it.
6 - use mac address authentication, in fact i would change the mac address of everything on your network if you can.
7 - change your DHCP scope, (the IP address pool) to something else like (10.33.26.14.0)
8 - update the firmware of your router.
9 - watch in your router, the "dhcp" hosts lists, your router keeps track of all machines it hands out an address to. anytime you see a host thats not yours regen a new password.
10 - see about getting a new router if you dont have one already. newer routers like dual band etc... have many more security features.
11 - if your router allows, you can wait for him to connect and block him. (then regen pass etc)


-GhostInshell



posted on Nov, 30 2013 @ 01:35 AM
link   
See, I knew I could get up to speed asking you ahem hacker know how types. I am using WPA AES, and have set my SSID with an odd password and spaces. So far so good. Hopefully, this person is not as savvy as you lot cause I don't want to go changing my mac address, and in fact while I have built 4 computers, fixed many over the years, I think I would rather get a root canal than deal with this crap!

Thanks again for all the info. You all have been great!



posted on Nov, 30 2013 @ 07:13 AM
link   
i see a lot of people talking about a secure pass-word , i always advise my clients to use a pass-phrase. Choose a memorable line from one of your favorite films and use that as a password.

For example :

ImHere2ChewBubblegumAndKickAss
ThereCanBeOnly1
YouCanTakeTheReadPllOrTakeTheBluePill



posted on Dec, 3 2013 @ 11:07 PM
link   
Stick with Steve Gibson's (GRC) password generator.

Regarding



Now, as far as MITM yes, they exist, and what they specifically try to make vunerable is the stupidity of people. If you ever randomly disconnect, or your router restarts, windows (or what ever host OS your using) auto reconnects, and it never asks you for a password unless you removed it from the saved history.


You can set up linux so it won't autoconnect. Autoconnect is generally a bad idea. Like who doesn't have a Starbucks autoconnect in their phone or computer. So it is easy for the hacker to set up a trap. Also autoconnect sends out requests that reveal your MAC and your proclivity for coffee. Or the name of that love shack where you partake of rental women. Or it reveals the name of your home router, which is handy for crazy stalkers.

Kismet is the sniffer used in Kali (and Backtrack, though I thought they don't exist anymore). You can just run kismet on any linux machine, but you do need to find compatible wifi adapters. Wireshark is in most linu repos as well.



posted on Dec, 4 2013 @ 11:01 AM
link   
For the home user, even with a neighbor who is trying to hack/steal your wifi. generally do the basic stuff.
and that; will, generally keep them out. see my post above.



posted on Dec, 6 2013 @ 10:40 AM
link   
Update:

Well, they are still hacking into my wifi .... grrrrrrrr

I want to figure out how to limit the range of my router, and hopefully one of you can tell me how to do that. I have a Netgear WNR 2000 v2. I have hidden my SSID, set an odd pass phrase, but they know my system id I guess. Have looked on how to change that, but not found it yet.

If I can't get this done, I guess I will invest in a newer router as suggested, but don't want to pay $200 + for one. I only have dsl, so I guess that is not an issue.

If any of you techy types have some suggestions to changing my ID (Router Identifier not password, I've changed password 3 times now) so they can't find it or limit my zone, that would be great.

If you have a price conscious option for a new router that is harder to hack, I'd love to hear it.

Thanks so much everyone! I know you techy types are shaking your heads wondering why this newb is still suffering, but all I can say is I have never been interested in hacking or taking advantage of others, and thus no desire to learn their tricks. Maybe this is a new calling for me to be a bad A$$ crime stopper.
edit on 6-12-2013 by UnifiedSerenity because: (no reason given)
edit on 6-12-2013 by UnifiedSerenity because: (no reason given)



posted on Dec, 6 2013 @ 11:13 AM
link   
I know its probably frustrating, but for "him" its more of a game. getting a new router would be best, but here are some things i would do: and how do you know someones on your wifi?

1 - do a factory reset on your router and then update it to its latest software.
2 - change your SSID to something random like: yk8234c9ssd6120000
3 - do not broadcast your SSID
4 - on all your computers update all the software on on every one and change every password on every account on them. also, run virus scans and remove any software that looks fishy like something you did not install if your unsure post it here, and we can help.
5 - use WPA2 and generate a password from here:
www.grc.com...
6 - Make sure, you set a strong password for the "admin" of the router itself.
7 - for the "scope' or the IP address range change it to something in the 10.0.0.0 range.

that should get you stated....



posted on Dec, 6 2013 @ 11:18 AM
link   
here are some netgear support links for you:

kb.netgear.com...


kb.netgear.com...

kb.netgear.com...



posted on Dec, 6 2013 @ 06:38 PM
link   

Ghostinshell
here are some netgear support links for you:

kb.netgear.com...


kb.netgear.com...

kb.netgear.com...





Thanks, I have done all of that. Someone suggested today that it might be a hijack from online somewhere and not someone living near me. Would standard AVAST type anti virus or malware bytes detect that?



posted on Dec, 6 2013 @ 09:08 PM
link   

UnifiedSerenity
If you have a price conscious option for a new router that is harder to hack, I'd love to hear it.

edit on 6-12-2013 by UnifiedSerenity because: (no reason given)
edit on 6-12-2013 by UnifiedSerenity because: (no reason given)


A lot of router firmware has backdoors implemented by using a complicated user agent in the browser. You need DDWRT. It is open source, so if there is a back door, somebody would have found it. If you don't want to buy a Buffalo router with DDWRT installed, you can probably find a used router on Craigslist and hack it.

routers that support ddwrt

A Buffalo N450 is only $90 on Amazon. You get DDWRT right out of the box. The full number is WZR-HP-G450H . The Buffalo N450 CPU has plenty of horsepower if you want to add a VPN later. Now that is lots of work, but you need to be the NSA to crack openvpn.

You can set up a virtual lan with full port isolation. That means even if someone gets on your wifi, all they can do is get internet access. They can't get into your lan. They can't even get into the device of another wifi user, at least not through your router.

Incidentally, Netgear is junk. It has been junk for years. The company was so bad they had to change their name. It used to be Bay Networks. Do yourself a favor and get rid of that router.

Don't be alarmed that the N450 is high power. If you want to restrict the range later, you can adjust the power in the GUI, as well as set up the timing to make long distance access difficult.



posted on Dec, 6 2013 @ 10:56 PM
link   
reply to post by UnifiedSerenity
 


Are you sure you are actually being hacked?
Have you seen them on your network?
Check with a Packet inspector (wireshark) connected to your network via ethernet(cable)

If you have a sufficiently long password (64 characters is the longest you can have on wpa2 iirc) then it should 'technically' be impossible for them to crack your password.. that is unless they are rocking a pc with like 20 graphic cards to process huge rainbow tables. Even mitm attacks mentioned earlier only get you the password hash, which they need to convert to a real passphase, iirc only wep allowed inputting hash directly.

Ive had times when my wifi was really slow and i thought i had been hacked and someone was hogging all my bandwidth, but further investigaton i realize i was just on a crowded channel or something, shuffling the channels around and my wifi was back to normal
edit on 6/12/13 by Kr0nZ because: (no reason given)



posted on Dec, 7 2013 @ 03:20 AM
link   

Kr0nZ
reply to post by UnifiedSerenity
 


Are you sure you are actually being hacked?
Have you seen them on your network?
Check with a Packet inspector (wireshark) connected to your network via ethernet(cable)

If you have a sufficiently long password (64 characters is the longest you can have on wpa2 iirc) then it should 'technically' be impossible for them to crack your password.. that is unless they are rocking a pc with like 20 graphic cards to process huge rainbow tables. Even mitm attacks mentioned earlier only get you the password hash, which they need to convert to a real passphase, iirc only wep allowed inputting hash directly.

Ive had times when my wifi was really slow and i thought i had been hacked and someone was hogging all my bandwidth, but further investigaton i realize i was just on a crowded channel or something, shuffling the channels around and my wifi was back to normal
edit on 6/12/13 by Kr0nZ because: (no reason given)


You can't secure a device with bad software. If there is a backdoor, it doesn't matter how strong a password you use, they will get in.

Here is an article on a user agent backdoor:
dlink back door

Who knows what back door they have in Netgear routers. Like the article says, run DDWRT. There is still a possibility it can be hacked, but at least there are no backdoors.

Running wireshark isn't a no brainer. A PC has all sorts of network garbage running. Windows phones home so Microsoft can keep track if you are legal. Adobe, Nvidia,they phone home. You have to analyze the traffic. It would probably be less work just to install zone alarm, then examine the network requests.

Most of the modern version of windows have a firewall, but I suppose a hacker could have set up a rule to allow it to phone out.



posted on Dec, 7 2013 @ 11:04 AM
link   

gariac
You can't secure a device with bad software. If there is a backdoor, it doesn't matter how strong a password you use, they will get in.

Here is an article on a user agent backdoor:
dlink back door

Who knows what back door they have in Netgear routers. Like the article says, run DDWRT. There is still a possibility it can be hacked, but at least there are no backdoors.

Yes I know all about this backdoor, but it this case and in most other router admin panel backdoors, it can only be used if you already have access to the network, that is unless you set up the router to be accessed by the internet side(you normally cant by default)


gariac
Running wireshark isn't a no brainer. A PC has all sorts of network garbage running. Windows phones home so Microsoft can keep track if you are legal. Adobe, Nvidia,they phone home. You have to analyze the traffic. It would probably be less work just to install zone alarm, then examine the network requests.

Yes your network devices do send out lots of garbage.... but we're not interested in your devices. Just disconnect all YOUR devices from the network, and only have the one pc connected to the network that you have wireshark on, then filter out that PC's IP via the wireshark rules, any remaining IPs are the intruders. If your even feeling a little more adventurous do "follow tcp stream" on any "http" packets, you might be able to associate a name with your intruder


gariac
Most of the modern version of windows have a firewall, but I suppose a hacker could have set up a rule to allow it to phone out.

Yes they could even have a hacker on their PC... BUT this is kinda unrelated to having a intruder on your wifi.



posted on Dec, 7 2013 @ 11:22 AM
link   
reply to post by Kr0nZ
 


Some of these user agent hacks in the past have been over wifi. If you think the wifi I'd hacked, junk the router and run DDWRT. Besides, the only suitable place for a Netgear router is in the garbage dump. Wait no, take it to recycling.

If you have ONE PC on the network, it will still have a lot of legitimate chatter. Well if you call Adobe phoning home legit. While I agree Wireshark will see everything, for a person that never ran it, the task will probably be difficult. The only reason I suggested Zonealarm is Wireshark has already been suggested, but still hasn't been used yet.

The path of least resistance is to get the N450 router and run DDWRT.



posted on Dec, 7 2013 @ 12:58 PM
link   

gariac
Some of these user agent hacks in the past have been over wifi. If you think the wifi I'd hacked, junk the router and run DDWRT. Besides, the only suitable place for a Netgear router is in the garbage dump. Wait no, take it to recycling.

Again you would still need to connect to the wifi, you cant just hack the router admin panel via wifi without first obtaining the wifi password and connecting to the network.


gariac
If you have ONE PC on the network, it will still have a lot of legitimate chatter. Well if you call Adobe phoning home legit. While I agree Wireshark will see everything, for a person that never ran it, the task will probably be difficult. The only reason I suggested Zonealarm is Wireshark has already been suggested, but still hasn't been used yet.


Again as I said.. you just tell wireshark to ignore that ONE PC, thats what wireshark's filter rules are for.

Something like this:


(!(ip_ == 192.168.1.111)) && !(ip.dst == 192.168.1.111)

Will ignore all traffic coming from or going to that one pc


Anyway, I prefer to know where the problem actually is before trying to fix the problem. No point trying to fix someone cracking your wifi password or router, if that's not where the problem is.
edit on 7/12/13 by Kr0nZ because: (no reason given)





new topics

top topics



 
1
<< 1    3 >>

log in

join