Tracking Wireless Neighbors
(Original Title: Wireless Neighbors Are Fun!)
Published in 2600: The Hacker Quarterly, Winter 2004-2005 / Volume Twenty-One, Number 4
I had an uninvited visitor on my LAN with a wireless access point. One of my neighbors had decided to become an intruder. This is the story....
My view for this is different than Shiv Polarity's in the Fall 2003 issue of 2600, which I enjoyed. Shiv Polarity's focus is on exploration and discovery of wireless networks, as well as gaining access. My focus is, knowing that you may have a security hole in your wireless network (or if you have security vulnerabilities that you don't even know about), how do you detect and address uninvited visitors on your network?
My home network is growing. I have a "closet-based" network. I have a cable-modem feed into my closet. I have put together a highly-mobile, notebook-based environment, and have been adding some appliance- sized systems that I will use in the near future - for running Linux, acting as various servers, and as systems to use for computer security tests.
The cable modem feeds into a LinkSys 802.11b wireless combination access point and router, which provides wireless connectivity to the Internet. In the closet, I have a Panasonic Toughbook (384 MB of RAM) acting as a database system, with a 100-GB drive in an externally powered USB enclosure (with its own on-off switch), so that it is also my fileserver. When I do not need to use or retrieve data, this drive is physically powered off - since this drive cannot be powered back on except by use of its power switch (no soft switch), anyone penetrating the network or system will not have access to the data. I am also adding a separate computer to be used as a dedicated fileserver. I have a Fujitsu B-class notebook (highly portable) with my Linux-based security tools, as well as another Fujitsu B notebook with my windows-based security tools. I have set up each of these systems to run VNC (a multiplatform, open-source, remote control system - to let me remotely and wirelessly use these systems; get and read about it at http://www.realvnc.org) and the Fujitsu running Linux accepts only SSH connections, until I manually invoke the VNC server. I also have some Compaq / HP iPAQ. PDAs (Personal Digital Assistants - handheld PCs), two of which have 802.11b wireless capabilities. One has an expansion PCMCIA card sleeve, loaded with an Orinono gold 802.11b wireless card, and also with a Toshiba 5GB PCMCIA drive card. I also use this iPAQ system on occasion as a wireless (and portable) fileserver (it is running the "familiar" distribution of Linux). I have one or two other systems on the network not worth mentioning. My plans are also to add wireless computer-based video surveillance capability (which I have used successfully before - check out supervisioncam.com for an excellent product in this arena), a dedicated fileserver, and firewalls (to protect and control information flow into and out of the network from the Internet, and to also offer similar protection to-and-from the wireless access point). Also, have just added a dedicated system for full-time network monitoring (with Snort, Etherape - a graphical network monitor[http://etherape.sourceforge.net/], and other intrusion detection tools).
I had been running with 128-bit WEP security, using two notebooks to remotely obtain service from the three systems running in the closet, and for wireless Internet access. I know that WEP is very far from perfect, but it beats having no crypto link at all. I have also been using some, but not all of the security features on my systems. I have also used Network Stumbler (http://www.netstumbler.com) which hasn't revealed anyone else running an access point in the vicinity. I also have been using a small assortment of network logging and monitoring tools.
I had been having interruptions in wireless access from the two laptops that I have been using to access the Internet and these closet-based systems. A call to Linksys provided me with some advice - drop from 128-bit WEP down to 64-bit or no WEP encryption. It seems that I was running too many applications; the processor was not able to do this and still properly communicate with the PCMCIA wireless card. Was there a fundamental problem with the system properly needing to pump the PCMCIA card, or was the problem totally unrelated? I don't know for certain what the underlying problem was, but I am going to experiment more with WEP and running various applications. However, without running WEP, my notebook has been running fine wirelessly. I know from Netstumbler that nobody is running another access point in the immediate vicinity, but this still isn't the best way to run a computer network - even at home.
People often want to run their wireless access point transmitters at higher powers, or with bigger antennas. One method that I considered for improving security (slightly) is to go with the opposite approach - software-setting the wireless access point to use less power (to radiate a smaller signal profile), to limit neighbors' and wireless war-drivers' access to the device. Using antennas that are less efficient are slightly awkward, but could achieve a similar effect. Either approach might take some experimentation to find a balance of effective transmitted power versus the distance at which a viable signal link can be maintained. I asked Linksys about setting the wireless router to transmit on lower power (I understand that the power is software-settable), but they would only recommend WEP security.
Other methods to better defend a network include segregating networks - using wireless access points with integrated firewall mechanisms, or separate access points and a combination of routers and firewalls to carefully restrict access both to-and-from your internal network/s , as well as to the Internet. These "enterprise" security features and topologies can also be brought into small home networks. If you are on a budget, you can look into Linux-based routers and firewalls as a starting point; these also run well on relatively modest hardware.
I like log files. When all goes well, they can be boring. They can also be boring if things are going badly and you don't know what to look for in them. For fun, I was looking at my Linksys router DHCP table. This table shows all computers that have recently accessed the network through the router (in this case, it shows all wirelessly established connections, as well as identifying systems plugged in through the 10/100 Mbps Ethernet jacks in the back of the router). What did I find? In addition to the systems that I had been using was a new system - which was shown to be accessing the Internet via wireless access, as well as revealing my internal network address that DHCP was assigning him to. I also have its MAC address, which can be used to determine the brand of wireless access card that was being used (this would be reported to me later by Nessus, as well). I checked all of my devices (wireless cards usually have the MAC address printed right on them) - none of them had the wireless address matching this machine's address that appeared in the router. Hmmmmm...
I checked the Linksys wireless routers logs. They are not extremely detailed, but they do help. My built-in router log records revealed both incoming and outgoing IP addresses, and the web sites / Internet addresses that they have accessed, but little more than that. I could account for all records, except for accesses being made to Microsoft's Passport.net service (not something I use), and an e-mail server.
I started running Snort (http://www.snort.org), a free network sniffing tool, to record all traffic to - and - from my intruder; I ran this on the notebook running Linux that was plugged into the back (the hub) of my Linksys wireless access point. Processor throughput fortunately isn't a problem here. Since the neighbor is using my wireless access point, his bandwidth is limited to roughly 10Mbps, and I can throttle this down by changing the access settings to limit him to 3Mbps or less. There were no built-in filters to record traffic based on MAC addresses (unique to each wireless card), so I watched, and when the DHCP address changed for the system, I changed by snort filtering rules. There are more efficient ways of dealing with this - changing the frequency with which DHCP tables are refreshed, using static IP addresses for your systems, and using more narrowly focused tools. You can also read about the Wireless Snort project (http://snort-wireless.org/).
There are multiple internal IP addresses that I have been using, and have been running with dynamic IP assignment. That's changing - I am planning to segregate my internal namespace to make correlation of IP addresses-to-systems easier. It will also make it easier for me to run scripts to automatically identify and scan any new systems coming onto my network.
I didn't have a spreadsheet of my system names and their MAC addresses associated with each network or wireless card. I wouldn't want to presume that any computer on my network isn't wholly mine. So, I felt free to start scanning.... Besides, once I confirm that this system doesn't belong on my network, I might face liability if I even ping it. Yes, it sounds stupid, but I wouldn't want to be accused of having unauthorized access to a system, even while it's not authorized to be on my network.
The easy and prudent thing to do would be to clamp-down on the security: Immediately put up a firewall, and put in the very latest patches. This would add some security. Some would advise ditching the Windows platform entirely. Pull out unneeded services and modules. This would all be prudent, quick, and relatively painless. But, it wouldn't be any fun, and I wouldn't learn anything.
Some things were O.K. for my systems security. Some of my key files are encrypted with pgp's private key ("Conventional") cryptography, and my database / fileserver system had its external USB-drive shut off almost all of the time - it had only been on when I was using it. While playing with my neighbor, I would keep this shut off. None of my systems would carry any data for a while... Note that with this external drive, I don't mean that I have spun the drive down, nor shut it off via software. The drive is externally powered, and has an external power switch, with no software-based starting mechanism (soft switch). Besides these measures, there are also removable-media backups of all of my critical data and files.
For extra safety for your stored files, you can use either PGP (I have always had a softness in my heart for the International PGP versions) - available from http://www.pgpi.org/, or you can also select the open-source Gnu Privacy Guard [GPG], available from : http://www.gnupg.org/). While both of these programs are known for their public-key cryptography for encrypting e-mails, both of these programs can also be used with passwords to locally encrypt files to a password.
I started a manual log. I started recording when the visitor / intruder appeared in my DHCP logs, the IP addresses accessed MAC address, and other notes. Later, this will also help you see patterns in access and usage. Naturally, you don't want this to be something that your intruder can access. An ideal method of logging is to record such information on an older notebook computer that you don't connect to your network. You may even wish to run a separate, internal, private network - even at home, to segregate your key data.
What Happened Next?
I was able to witness logs of my intruder on a number of occasions. Nothing special - unfortunately, his e-mail was accessed by an encrypted session, so I didn't have the option of following-through with some creative options. For example, if the intruder were e-mailing his girlfriend or business associates, I could have contacted them directly and asked that he stop using my network to establish his message traffic. I could have also injected my own messages in his e-mails ("man-in-the-middle" attacks would have just been one possible method to employ. There are many creative possibilities - use your imagination.
My visitor came back on my network with another system, and also accessed a few web sites. The general usage pattern hadn't changed too drastically. By checking my logs, I could see similarities and patterns in usage. However, the second system had a better security profile, and was set up to use the ISAKMP (Internet Security Association and Key Management Protocol) protocol (for secure virtual private networking).
My intruder had a number of intrusion opportunities available. My iPAQ handheld was only accessible wirelessly via SSH. Once a root SSH session was established, I would enable Samba filesharing (Take a look at http://www.samba.org for more information on this open-source effort that provides Windows networked file sharing for Linux and Unix platforms), to use my iPAQ as a portable, handheld file server. I did leave this open for routine periods on purpose. My iPAQ SSH configuration was subject to predictable packet sequence ID attacks, which could allow an intruder to determine the upcoming packet sequence in "secure" communications, and terminate and take over an IP session, or commit other actions. Two of my other machines were running VNC Servers on occasion (whenever I manually invoked VNC on these systems) - but these systems were never probed. I had some security and routine patches on my machines, but left them open for now to facilitate potential intrusions until I deemed my little experiment with my neighbor over. I even reset the router to its default password. This password is well-documented, and the router could also serve as a lure to gauge the neighbor's degree of interest in my network.
I ran nmap (Network Mapper - free open source utility for network exploration or security auditing) and Nessus against my own systems, so that I would know what he would see if he attempted to probe my systems. If you are interested in learning more about these network exploration and vulnerability scanning tool and obtaining them (they are free), go to http://www.insecure.org and http://www.nessus.org. My logs and account histories showed no signs of funny business, but I wanted to know which services and capabilities I had could be exploited, as well as how - also to determine if any additional services or file shares had been created. I didn't want to really close-off anything - I just wanted to be aware of how my systems could be abused, and to be in a position to monitor any attempts to take these systems over, or manipulate them. I had original replacement media to rebuild any system, and my personal (and any business data) was safely on my external drive that was powered-off. Anything that I really needed to do could be done by my taking the hard drive off of the server, and either throwing it onto my network without the wireless card, and using it off-line - or using it locally on notebooks or other networks.
I left my systems as they were, but took additional steps to facilitate some basic monitoring. One key change that I made immediately was to immediately take extra steps to protect my shared files. The database system also doubles as a file server - I am using a 100 GB drive in a USB enclosure. I physically powered that device off for the duration of my "experiment."
Some fun options:
Change name of the network - was Dorkmaster (in honor of the National Computer Security Center's Dockmaster system). I considered changing the name (any change of the letter "o" to any other vowel would have been fun). See how long it takes for the neighbor to discover the change, and how he responds.
There have been many stories of companies that have had their networks penetrated that have been sent e-mail suggesting that they improve their security, sometimes with specific recommendations, and sometimes even with threats. There have also been many times that someone penetrated a system or network, and then they have been afraid to report it, for fear that they would be traced and prosecuted. While not a perfect solution to this problem, I am suggesting the creation of a writable, publicly shared file with an "Unauthorized user access form." This form would have spaces for any potential intruder to fill-in, complete with their name or handle, method of attacking the network or otherwise circumventing security, and whether they think that they left any traces. The form would specifically not grant permissions to the user - after all, it's an "UN"authorized user form, but would provide an additional feedback reporting mechanism. If nothing else, it might give an uninvited visitor a laugh.
With some basic scripting, you can identify any strange or unwelcome IP connections on your network. A program called tod ("touch of death") can be used to kill IP connections - look it up. With tod and a little more scripting, you can kill any of these connections. Actually, that would make it too easy for anyone intruding on your networks, and may make your countermeasures obvious, if not (almost) pedestrian. I enjoy using randomization in the use of such tools. If you are going to kick someone off your system, do not do it every five minutes, or every fifteen minutes precisely - mix it up. Work into the time frames that you commit actions to annoy or frustrate the intruder such factors as the weather (you can pull weather data off of the web), the value of pi, the day of the week, the temperature in any of the world's great cities [accessable automatically with some scripting and the use of the web], and random numbers. Besides, if you are asked to explain what actions you have taken, it makes the explanations much more entertaining. You can also look at your logs, and watch or monitor how your intruder reacts every time he is kicked off the network. For more fun, do not merely kick him off. Force him into segregated subnets, with limited options, make additional files (crafted for him), available for his viewing, etc... You can always leave a message that he "is not worthy." If you have identified him, you may even leave a photograph if you can find a digital image of him.
In amateur radio (or in certain government circles), a "foxhunt" is a method used for tracking the operation of a transmitter or radio, especially one that is operating covertly. There are a number of methods that can be used: radio-direction finding gear can be employed. Multiple strength readings from multiple locations can also be used to determine the source of radio signals. Presently, there are a number of programs and options for finding and identifying wireless access points. A program for a handheld PC that could give the strength of not the access point, but the connecting party, based for example on internal IP address or MAC address would be an ideal tool; this could be used by an individual walking away from an access point, and using a "sweeping" pattern with the handheld PC to follow the signal to the connecting party. Walking with such a handheld PC could quickly track down connecting parties to a wireless network.
These connections were not the result of a novice user innocently tripping onto my wireless LAN. Over a period of time, I was able to witness some of the web sites being accessed (from my router logs), as well as his system being made more secure over a period of time (through the use of my assessment tools and their logs). Also, the use of NetStumbler showed that there had been no active wireless access point in the vicinity, even before his presence on my network. He wasn't connecting to my net by mistake.
I have a good idea who my intruder is. Right now, the security is about what it should be, and my "friend" hasn't been appearing. I watched some usage patterns over time, and am aware of the people who (generally) are in a reasonable proximity, and have been around during the systems accesses. I am not naming the person (I do have access to system and domain names). At some time in the future, I may set up a wireless honeypot for fun. I wonder how long it will take for a reconnection attempt...
My disappointment was not in having a visitor using my wireless access point. I had a really great excuse to run nmap, Nessus, and snort. My disappointment is that my visitor did just what most minimally tech-savvy business travelers do when traveling with a notebook, wireless card, and fleeting sense of glory - he just found a freely available access point to treat as a wireless hotspot with which to receive e-mail, and to use VPN connectivity.
Part of my disappointment is that my neighbor wasn't more interesting. MS Passport and e-mail accessed via port 443. Just blather on my network. Some VPN traffic. Boring. At least he looked up RoadRunner's DSL Internet service. Maybe he was thinking of buying his own service. Also, I am presuming that it was a "he" - my area isn't known for having a large population of Hacker Chicks.
The person who connected to my network made some mistakes. Firstly, and most importantly, I believe that he has exposed his corporate enterprise network to harm. He is using ISAKMP for VPN access, and he used encrypted mechanisms for accessing his e-mail. However, I identified the unauthorized systems on my network as having a number of vulnerabilities (although the second system has a much more secure overall posture). He also revealed himself by using a workgroup name that I don't use. My tip-off was the result of a Nessus scan against his machines, but the presence of his workgroup being introduced to my network was readily visible as soon as I looked for it on one of my Windows systems via the Network Neighborhood. Should I have chosen to exploit his intruding systems, the VPN protections - and any private networks he is accessing - could also have been subverted. His boss shouldn't be happy with him. Perhaps his company should have a policy against using networks without proper authorization when accessing corporate assets.
Also, tThere were opportunities to for my neighbor to attempt to exploit SSH holes, the router itself, vnc, and other services. I used what opportunities presented themselves to scan and monitor suspected intrusions to my network. I picked up a little experience with some nice tools, but would have enjoyed the opportunity to scan more systems (if there were a higher and more varied rate of intrusion), as well as more time for me to develop scripts to automatically and selectively scan any new systems that were unfamiliar to me.
There are a number of extra steps that can be taken to further protect your systems. Some of these steps are more procedural than technical. I am not a lawyer (IANAL), but apparently, click-through software and usage contracts are enforceable. One approach to expanding your options should someone attempt to connect to your network would be to first have them click-through "splash" screens. Bring up a statement that they may use your technical systems, for throughput connectivity only. Also, that this will cost them US $1000 per connection, with a one-hour duration maximum, that they are responsible for such usage, and that no guarantees are rendered or implied on your part. If you figure out who is connecting, they will have fun when you send them a bill, and when they are sent a notice to appear in court to pay you your access fees. You are no longer the owner of a victimized network - you are an ISP charging exorbitant rates! Besides, if they don't meet their contractual obligations, you can always offer to them the option of your pursuing the criminal charges for accessing your systems and networks without authorization, and not worrying about pursuing them over your "modest" access fees. A more interesting approach might be to have a web-enabled screen come up stating that no permission, implicit or expressed is granted, and that should the party attempt to further make use of your networks, that they will provide compensation in the amount of $500 per hour of your time that is necessary to investigate and remedy the state of your systems following their unauthorized use. Further, they grant to you full and unfettered access rights to any of their systems (and connected networks), without any liability to yourself. Make it a long "contract" - what are the odds they will read the whole thing, anyway? Perhaps you can work in some language that they are accepting your offer for "computer security services" against their network - again, for substantial rates.
The real risk when someone comes onto your network uninvited may not be that they will violate your privacy and corrupt your systems, but that you may invade theirs, and even send them a bill! You may even be able to do it legally.
Can you write up a one-line warning / click-through agreement that leaves the intruder full legal liability for his actions, while protecting all of your rights to defend your systems, and would also enable you to perform both non-destructive and destructive "testing" on his resources, as well as any systems or VPNs that he has connected to? I think so. The warning (with click-through acceptance terms) is this: ABANDON HOPE ALL YE WHO ENTER HERE
Shoutouts: YO AG HI