Re: How to track down a wireless hacker



When you last went to the store and purchased a wireless card with cash did they take a photo ID?
When you picked up the box with the serial no. on the inside, did they record it against your name?

If it was changed - the real one is lost. It will not see the light of day

Some times you will find cards all with the same MACs. They should not do this, but I have receieved batches of cards with the same mac in the past. The manufacturer does not keep Mac addresses and there is no secret repository of them as a mapping to people.

Next the attacker could have been 5 miles away with a good high gain antenna. So it means that you can not even rely on proximity.

Anything you get is going to be from the compromised machines themself. You need to engage in a forensic analysis of the compromised hosts (if it is not too late). This is where the clues are.

If you really want to be able to match your myster attacker, association techniques (data mining) such as rpart may help match ations derived from a training set of data created from the forensic data you will collect on the compromised host to an individual if this person has done this elsewhere or has been caught before.

Regards,
Craig Wright (GSE-Compliance)


--------------------------------------------------------------------------------
From: listbounce@xxxxxxxxxxxxxxxxx on behalf of jond
Sent: Wed 7/11/2007 11:27 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: How to track down a wireless hacker


I have a new client who was setup with a wireless network a while back
using WPA encryption by another firm.
An 'unauthorized user' broke the encryption and got onto their network.
They've come to me to design a solution so that this doesn't happen
again, which isn't a problem.


However they also asked me if it's possible to track down the attacker
if this happened again.
From what I know, it's not possible is it?

If the attacker didn't change their MAC address, and say the companies
lawyers could get some sort of court order to intel, dell, etc to
release which MAC address went to which computer and who bought said
computer. Does the manufacture even keep that info?

If the attacker did change their MAC address, the real MAC address
will never transverse the wire(AIR) right, or is it still in the
packet somewhere?

Any other thoughts or ideas to track someone down?
Is any other info leaked that I'm not thinking about?



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Whitepaper - Detecting Wireless LAN MAC Address Spoofing
    ... "An attacker wishing to disrupt a wireless network has a wide arsenal ... Many of these tools rely on using a faked MAC ... networks that are difficult to detect, ...
    (Bugtraq)
  • Re: Two Netgear WGT624 models will not communicate
    ... dramatically increase the leve of complexity of wireless. ... Security in a WDS network is marginal. ... the WAP54G wireless bridge has a similar problem. ... As I see it, the MAC address in the configuration is ...
    (alt.internet.wireless)
  • Re: About War Driving ..
    ... However, MAC filtering does not qualify as defense in depth, ... because the attacker can spoof a valid IP address. ... broadcasting the SSID doesn't hide a network, but just makes it show up ... machines in your building that you can control and check the MAC ...
    (Security-Basics)
  • Re: Theoretical Discussion: Hotel WiFi Hack
    ... discussion to start with you wireless experts. ... They don't offer wired internet because it's an old ... passed his MAC address around via some GET variables in the URL. ... Surely the router or gateway would go ...
    (alt.internet.wireless)
  • Re: Wireless IP leads to arrest.. (UNCLASSIFIED)
    ... I'm going to preface this by stating that the OP still hasn't provided a link, and the further data provided makes no mention of a wireless AP. ... As for how they would track it back to a MAC, it's dirt simple *if* the user had to register their MAC address with their service provider to obtain an IP address. ... Network Security Consultant ... Wireless IP leads to arrest.. ...
    (Security-Basics)